Compliance

New security metric on the horizon

Judi Hasson — Wed, 10 Sep 2008 10:51:58 -0400

Are you looking for a way to determine whether your enterprise security is up to speed? The Center for Information Security will release guidelines this fall to help enterprises measure the state of their organization's security, and give them a way to compare their performance with their peers.

"The problem that we've come to recognize is that information security professionals really are growing more confused on how to define success," said Carl Miuccio, the center's CEO. "They know that compliance with regulatory requirements and audit frameworks do not necessarily result in improved security and are not the best measures of success."

Miuccio has assembled 85 information security experts to agree upon methods to measure eight different metrics. The group also plans to launch a software-based service for companies to compare how they are doing in terms of security against other anonymous similar companies.

For more on this metric:
- see this CSO Online article

Protect your IM security

Judi Hasson — Wed, 27 Aug 2008 11:48:50 -0400

Instant messaging has become a common workplace tool, but companies that fail to install security software are doing so at their own peril. InfoWorld.com reports that many business have had difficulty limiting the usage strictly to internal use, making the need for security capabilities that support instant messaging and other real-time communication applications more pressing than ever. The publication offers IT executives some good advice on choosing appropriate IM security products.

The tips include determining the types of IM-related risks and threats that are relevant to your organization; assessing whether traffic logging and content archiving are important to you because of compliance and legal needs; figuring out what IM usage policy is relevant to your organization, including whether some communications should be blocked for certain groups but permitted for others; and determining if any fine-grained controls for IM filtering on user identity, IP addresses, file attachment type and embedded URLs are needed.

For more on IM security:
- check out this InfoWorld.com article

IT execs overconfident about e-discovery

Mon, 09 Jun 2008 06:59:59 -0400

A new research report has found that IT executives are confident they can respond to e-discovery litigation requests given their significant investments in records management, archiving and information retention. But the report by IDC suggested that the CIOs may need to take another look, and may not be as prepared as they think.

The survey found organizations lacking in standardized policies and IT practices for activities related to the identification, preservation and collection of potentially responsive data.

For more detail on e-discovery gaps:
- see this CIO.com article

Are you strong enough to be a CIO?

Mon, 19 May 2008 06:59:58 -0400

Michael Krigsman, the CEO of Asuert, Inc. a software and consulting company, says that CIO's have tough jobs dealing with both high-level business strategy and detailed technology decisions, and often get themselves in a bind.

For those who aspire to be CIOs, Krigsman offers a self-test to see whether you may qualify for the top technology job in your organization. He offers a list of 10 questions, including whether you are uncomfortable working with senior management, whether you are competent on issues of financial management, whether you like business strategic planning and whether you can implement and adjust to constant change.

To take the CIO test:
- see this zdnet.com article

More work needed on risk management

Thu, 03 Apr 2008 07:59:58 -0400

A new survey by Ernst & Young LLP, entitled "Managing Information Technology Risk," found that an effective ITRM program is still missing from many companies at a time when it is important to have these programs in place. Nearly 60 percent of 150 respondents indicated that their programs were not aligned with the organization's Enterprise Risk Management (ERM) strategies and framework. Forty percent of respondents indicated that they did not have effective coordination of risk and compliance activities.

"While cost savings can be significant, it's the top-line benefits that result from actionable risk reporting, strategic investments, and enhanced organizational performance that will be significantly more valuable over the long term to the individual organization and the financial services industry as a whole," said Bill Barrett, practice leader of Ernst & Young's Technology and Information Practice in Ernst & Young's Financial Services Office in New York.

For more on this survey:
- See this SOX Compliance Journal article

More tech stories from the FierceCIO network:
> Live coverage of CTIA Wireless 2008. Article
> Google Docs go offline. Article
> A conversation with Larry Ellison. Article

Data theft puts IT on hot seat

Mon, 31 Mar 2008 07:59:59 -0400

The tech industry has been analyzing and evaluating the recent theft of 4.2 million credit and debit card numbers from the Hannaford supermarket chain, a Maine-based grocer. And what they are finding is quite unsettling. While the theft is tiny in comparison with last year's massive data breach involving 94 million cardholders at The TJX, it is worrisome for different reasons. The theft was the first known heist that occurred when customer data was in transit as opposed to sitting in a database. What's more, the company was in compliance with the Payment Card Industry Data Security Standards (PCI DSS). That standard was established by major credit card companies to protect the privacy of customer data. But some experts say that is not enough of a wall to protect valuable information from being stolen. What's a company to do? Put added safeguards in place and review them often. Check out your security protections and make sure they work. Lawsuits are expected in the wake of this latest theft. And that should come as no surprise.

For more on the fallout from this data theft:
- Check out this SearchCIO article

Other articles on data theft:
- Malware blamed on supermarket leak. Article
- Questions about Hannaford theft. Article
- A well-orchestrated leak. Article

Vista upgrade coming this week

Mon, 17 Mar 2008 07:59:58 -0400

At the back of your mind is a gnawing question: What do I do about Windows Vista? You may be able to rest more easily sooner than you think. This week, the first major upgrade of Vista arrives as a service pack. Microsoft says this one, known as Service Pack 1 (SP1), will tackle four core areas: Reliability, security, compatibility and performance. There are no new features, and many of the benefits will appeal to large corporate enterprises rather than folks at home, according to a blog on USA Today. Some of the same problems remain--painfully slow boot times and overly intrusive security pop-ups. This is not supposed to be a band-aid, and if it turns out to be, call Microsoft pronto!

For more on the Windows Vista upgrade:
- see this USA Today article

Related Articles:
What's next for Mifare? Article
Top challenges to compliance in virtualization. Article
DataVis wants to bring Office to the iPhone. Article

The top challenges to compliance in virtualization

Fri, 14 Mar 2008 07:59:55 -0400

Chris Farrow of Fortisphere, in a recent News.com article outlined some challenges for achieving IT compliance in the field of virtualization. For example, the discovery and inventory of virtual machines can be tricky, given that virtual machine resources cannot be tagged physically. Also, what is the company's policy pertaining to rogue virtual machines? Closely related to this would be the importance of maintaining a chain of custody in which an audit trail of approved changes is documented. Farrow also discusses the importance of segregating low-risk virtual machines from high-risk or mission-critical ones, and the need to track software licenses for violations. Because virtualization is relatively new, he advocates that companies ensure they retain the appropriate expertise in their technical personnel.

For more on the challenges to IT compliance in virtualization:
- check out this ZDNet article

The high cost of SOX just went down

Thu, 07 Feb 2008 06:59:59 -0500

Companies are spending a ton of money complying with the Sarbanes-Oxley law, and that probably includes your firm. Just listen to the numbers. In 2007, American businesses spent $6 billion on SOX, as the federal regulation is commonly called. And while it has leveled off a bit, it still takes a big bite out of a company's budget.

The law was passed in 2002 in reaction to enormous corporate transgressions taking place such as the Enron meltdown. It made company executives liable if erroneous financial statements were filed. The regulations putting SOX into effect made CEOs vulnerable if they did not ensure the integrity of the systems that process their data. That was a high bar to jump for any CEO!

The Public Company Accounting Oversight Board (PCAOB), which was charged by Congress to enforce accounting regulations, has watched how accounting firms have run up huge fees as companies try to comply with the law that requires auditors to tie compliance directly to its impact on financial reporting. "If you can't link something to the financial statements, it's out of scope." explains Sharon Virag, the PCAOB's technical policy implementation director. "We used to hear people talk about the financial-transaction flows through this system, so the system is brought into scope. Now, you only need to focus on the parts that apply to the risk."

The change lifts the burden from the CEO and puts it on the back of the auditor. "For the first time, auditors are not going to be allowed a blank check for compliance," says Connie Whitecotton, vice president and chief risk and compliance officer at Alfa Insurance, a $700 million insurance company in Montgomery, Ala. She says the key to SOX is understanding risk and adequate controls. "We've got to understand it to contain the auditors," she said. And it all might mean that there's a little more money in your budget. Let us know if this is any sort of relief to you.

For more on SOX:
- See this Baseline Magazine article

ALSO NOTED: The Netherlands going open-source in 2008; Firefox 3 Beta 2 coming this month;

Fri, 14 Dec 2007 06:59:51 -0500

> the Netherlands is going open-source in 2008. Article
> Firefox 3 Beta 2 coming this month. Article
> Opera tries to force W3C compliance from IE. Article
> Toshiba launches new line of 1.8" drives. Article
> Zumobi browser for WM5 and 6: Beta now live. Article

And Finally... iPods frozen inside popsicles. Article