auditing

Keep on top of mobile work

Thu, 20 Dec 2007 06:59:58 -0500

If there is any message for the CIO this year, it's this: Get smarter faster. And one way to do that is to tap into existing tools that will help you comply with outside and inside forces for doing business. One of them is an auditing and archiving tool called Retain by GWAVA, which provides enterprise security and policy compliance products. This technology allows users on BlackBerry smartphones to archive text messages and phone logs.

As the need for archiving grows with new demands for eDiscovery and a plethora of information online, CIOs need all the help they can get to keep track of the Internet world and their employees. There's an added benefit, too. IT executives can view the database with the Retain Archive Viewer at their workstations. And they can obtain records using search criteria or choose to be alerted when keywords appear in text messages. It may be important to know what an employee is doing during the workday, especially if it impacts the daily and long term work. And it may be even more important if a company gets a subpoena for electronic information relating to any aspect of a job to make sure that electronic data can be retrieved.

For more on archiving mobile technology:
- Check out this InformationWeek Article

Tips for controlling your software maintenance costs

Mon, 20 Aug 2007 06:59:57 -0400

When it comes to big costs to the network, software maintenance fees always top the list. Companies will spend $160 billion this year alone on software. They will then spend another $100 billion on maintenance costs. Indeed, analysts say that CIOs on average are overspending almost 30 percent on software licenses and maintenance. Scott D. Rosenberg, CEO and founder of Miro Consulting, offers some great advice in Baseline on how best to control these costs. He recommends CIOs start by conducting an enterprise review or audit, allowing plenty of time--in some instances, up to six months-- to negotiate agreements and to conduct what-if analysis. He also recommends self-auditing twice a year.

For the full list of recommendations on how to better control costs:
- read the article in Baseline

Un-integrated security can be dangerous

Wed, 18 Jul 2007 20:01:38 -0400

Perhaps the only thing that enterprises find more threatening than security vulnerabilities are the potential penalties for falling out of compliance. There is a consensus emerging that these two corporate pitfalls should not be viewed in a vacuum and that companies should integrate encryption, access control, and auditing functions. According to Wikibon, a newly formed community of experts that offers free research and advisory services on storage issues, companies need to integrate compliance requirements with life cycle management. David Floyer, a former IDC analyst and one of the founders of Wikibon believes that encryption is one way to secure data when it comes to storage, but that's only part of the solution. It's not feasible to encrypt all of the data in a data center, since the volumes of data are typically too large and there are too many servers accessing data, among other factors. It does, however, make sense to encrypt data where there's a regulatory requirement, such as personal records. Encryption also makes sense when transporting data over a network or physically by tape.

For more on the intersection between security and compliance:
- see this InformationWeek article

Policy: The first step toward risk management

Thu, 10 May 2007 20:01:39 -0400

When it comes to dealing with risk management issues, think policy first and technology second. Build a defensible case. Once you have a policy in place, technology--in the areas of Identity and Access Management (IAM), Security Information and Event Management (SEIM), configuration auditing, content monitoring, database activity monitoring and IT governance risk/compliance--can help. If you implement only one technology, it should be IAM, with SIEM running a close second. But they are no substitute for solid policy. Configuration management systems can help find faulty business practices, but it's policy that makes users understand what's acceptable usage and what isn't. Configuration auditing technology pinpoints unauthorized changes in the network, but you still need well-defined configuration policies and change management processes. Database activity monitoring technologies are a good idea, but it's not enough; systems must be re-engineered for encryption. IT governance and policy management technology can help businesses strengthen external audit posture and can reduce the cost of control measurement and compliance reporting, but it shouldn't be considered a substitute for policy development work.

Learn more about the importance of policy in risk management:
- read the article at SearchCIO

ALSO: read this on the intersection of risk and compliance

Communication overload

Thu, 10 May 2007 20:01:39 -0400

Modern communications includes multiple phone numbers, inboxes and contact routes, and it's difficult to discern which of these messages are important or urgent. What's more, all of these communication mechanisms cause significant distractions, which slow productivity. The problem is that there is nothing to control the sequencing or interaction between different channels. That can be potentially disastrous from an auditing perspective, where actions triggered by one message are not countermanded by another message through an alternative route. This situation requires policies that define suitable and unsuitable paths for different types of communication. The environment, both management and technology, must also provide support. Defining 'urgent' and 'important' should be an integral part of the management process, just like setting and measuring objectives.

Read more about reducing communication overload:
- read the article at IT-Director.com

Endpoint policy management

Mon, 19 Mar 2007 20:01:38 -0400

Securing the configurations on all PCs within the enterprise--even unconnected devices--is a difficult task, but critical to the security of the enterprise and the most important step in doing so is developing policies for securing all machines. Only by creating and enforcing policies can companies maintain security configurations in a way that protects them from attacks and regulatory scrutiny. Luckily, a variety of endpoint policy management tools can help IT managers protect their networks. One example is FullArmor's solution, a software appliance that automates delivery, enforcement and auditing of security policies on remote and mobile devices. Senforce Technologies offers software that combines several driver-layer technologies and other applications designed to safeguard networks, and InfoExpress makes CyberGatekeeper Remote, which sits between remote endpoints and the network and audits the network for policy compliance, blocking access and redirecting the user to get the proper settings in order to gain admission.

Learn more about the tools available to manage endpoint security:
- read the article at TechTarget

Wireless data access goes mainstream

Sun, 04 Feb 2007 19:01:38 -0500

Wireless data access is quickly becoming a requirement for enterprises that want to remain competitive. The most popular platforms through which corporate users are accessing data wirelessly are laptops, followed by smartphones. Generally, employees are using these devices to access desktop applications, but increasingly, employees want to access enterprise-wide applications, such as ERP (Enterprise Resource Planning), CRM (Customer Relationship Management) and salesforce/fieldforce automation apps. To plan for this inevitability, CIOs should start thinking about how to choose a carrier, plan and device and how to manage plans centrally and develop policies that address data auditing, security and budgeting.

Learn more about the inevitability of wireless data access in the enterprise:
- read the article at Network Computing

How NYSE is dealing with SOX

Wed, 10 Jan 2007 19:01:39 -0500

The NY Stock Exchange has a huge project ahead of it now that it has become a publicly traded entity. Due to that change, it will now have to meet the Sarbanes-Oxley (SOX) requirements and as a result, will have to boost already strong data protection measures. As the tech leaders explain, there is no one singular tech tool that will do the job, nor will a simple strategy, given the number of points that data touches both within and outside of the organization. The work requires a "comprehensive defense in-depth mechanism," as well as processes and technology to boost auditing and accountability.

For more on the NYSE SOX approach:
- read the story at Wall Street & Technology

The need for controls in good change management

Thu, 16 Nov 2006 19:01:37 -0500

As one IT expert acknowledges, change is always painful and so is the process of change management. But there are some best practices that CIOs can follow to ease the hurt, at least a little bit. The first is identifying and enforcing "process commandments" and the second is understanding how unauthorized changes impact the organization and why auditing such changes is key to getting good processes in place. It's all about having control.

For more on making change management less painful:
- read the column at CIO

How to foster CIO/CSO collaboration

Wed, 13 Sep 2006 20:01:35 -0400

Defining the relationship between a CIO and a CSO (Chief Security Officer) can be difficult as lines of responsibility blur when it comes to dealing with all the technology and security tasks facing both roles. But as the CIO and CSO of TriWest Healthcare Alliance explain, if you take the time to collaborate and map out specific duties regarding how the security team fits into the overall tech landscape, it's not too hard. Understanding each other's views and agreeing to definitions of tasks is a huge part of making the CIO/CSO roles work well together. For example, while one big security task at TriWest is auditing the IT effort and operations, its CSO says he prefers the term, and the concept, of assessment rather than auditing. Collaboration is key.

For more on CIO/CSO relations:
- read this interview at CIO