Research Paper Abstracts
Improving Risk Decisions
Jack Jones
April 3rd, 2008
Too often, information security risk decisions fall victim to one or
both of the following fundamental problems: decisions are made by the wrong
people or they’re made with inadequate information. Failure to understand and
agree upon who should be making which risk decisions can lead to unmet expectations and objectives, lack of executive management support, and impact to other business priorities.
Offshore Outsourcing Risks – Look Under the Covers
Jennifer Kurtz, David Mortman and Bob West
February 5, 2008
Many organizations perceive that offshore outsourcing makes sense either because it will save
them money or because their competitors have work done offshore. However, the real costs
and risks may not have been taken into account upfront. This note covers some of the costs
and risks that are associated with offshore outsourcing and potential ways to mitigate those
risks.
Security Criteria For Selecting A Database
David Mortman
January 29, 2008
Opinions and vendor hype about the inherent security of various database products abound. Understanding a vendor’s overall approach to security assurance is critical for selecting database – and other – products that meet an organization’s security standards. This research note outlines an approach that will help organizations evaluate objectively how security is integrated into commercial database solutions. It recommends seven key points to consider when making a critical database purchasing decision: vendor disclosure of his product’s particular vulnerabilities and their severity; relevant security features; integrated product development security processes; ongoing vendor-provided software assurance; patch remediation logistics; independent product vulnerability assessment; and product administration usability.
Information Security State of Affairs
Jennifer Kurtz and Bob West
December 17, 2007
The current state of the information security ecosystem is bleak. This is no surprise and
exposes companies, governments, and individuals globally to fraud and financial loss. This research note provides an overview of the threats and recommendations on how to address these threats.
Leveraging Compliance For Security
David Mortman
November 1, 2007
Compliance is not a technology problem – it’s a business problem. By instituting
sustainable business processes that effectively leverage people and technology,
enterprises will become not just more secure but also compliant with current and
emerging regulations.
Survival Strategies under New Court Rules for Electronic Evidence
Jeffrey Ritter, Esq.
August 22, 2007
Information security professionals will increasingly be involved in the discovery, recovery, preservation and production of electronically stored information as evidence in legal actions. New rules adopted in Federal and state courts, and similar procedures being employed by regulatory agencies, emphasize the role and importance of information security in assuring the integrity of electronic evidence. This note presents: four insights describing how the new rules impact information security management practices and five survival strategies which information security professionals can use inside the company to improve their effectiveness in helping prove the truth of electronic records
The Power of Being Positive
Mark Bouchard
June 22, 2007
One result of all the fanfare around intrusion detection and prevention technology in recent years is that many organizations have neglected their firewalls and are often under-valuing the significance of the role they can play, especially when it
comes to thwarting unknown attacks.
The State of FFIEC Compliance
William J. Malik
April 19, 2007
At February’s RSA Conference, Echelon One’s panel discussed the current state and future direction of FFIEC guidance.
User Security Training
David Mortman
April 3, 2007
Contrary to popular belief, Security Awareness Training need not be just a necessary evil, but rather an effective method of communicating with and training employees. This research note will outline both the need and scope of an effective security training program.
Vulnerability Disclosure and the Enterprise
Scott Blake and David Mortman
March 19, 2007
Information security professionals, especially those in the enterprise, should support and encourage the public disclosure of vulnerability information. There are three primary reasons for this. First, vulnerabilities in the public domain have little to no economic value to actors willing to pay to suppress the information. Second, although vendors should always be given a chance to respond to vulnerability information before it is publicized, the expectation that disclosure will inevitably occur is an essential economic incentive that pushes vendors to build more secure technology. Third, and perhaps counter-intuitively, enterprises are less at risk from the exploitation of vulnerabilities that are publicly known than from those that are held in secret. Despite the increased likelihood of automation of vulnerability exploitation when an issue is made public, the benefits in the form of taking the issue away from serious criminals, forcing a timely fix from the vendor, and reducing the impact of exploitation far outweigh the potential for increased frequency of exploitation.
Business Continuity in Context
William J. Malik
March 7, 2007
Business continuity planning should begin with business process analysis. This note describes an efficient, cost-effective method for developing and validating a business continuity program.
Embrace This Five-Step Program Now!
Mark Bouchard
February 27, 2007
The potential exposure of personal data as a result of lost/stolen laptops and other data devices is troubling, particularly given: the frequency of such incidents, their potential impact on individuals and organizations, and the relatively straightforward measures that can be taken to prevent or mitigate them in the first place.
Incident Management: The Tactical Realities of Strategic Thinking
Bill Spernow
February 6, 2007
While many organizations have incident response management plans on the shelf, few have considered developing plans specifically designed to cope with unanticipated emergencies. This research note offers steps you can take today to improve the scope and structure of your incident management response process so your employees are capable of handling the unthinkable event of tomorrow.
Symantec to Acquire Altiris
Scott S. Blake
January 31, 2007
Symantec's acquisition of Altiris extends Symantec's position in both systems management and security management markets as well as furthering the established trend toward the convergence of information security and systems management. Impacts on customers will be slow in coming as Symantec has announced that Altiris will operate as an independent business unit initially.
Practical Limitations on Role-based Authorization
William J. Malik
January 23, 2007
Roles can help address certain access issues in an organization by managing the identity of people and processes, but most organizations create a group of overly complex role definitions. This note discusses a practical way to simplify the role life-cycle process: create a small number of roles for the majority; use more granular roles on an exception basis; allow the administrative workflow to capture any exceptions that arise. A provisioning tool should have a reporting mechanism to abstract groups of resources to allow audit and compliance - without the troubles and expense a comprehensive role definition exercise will require.
Standards in Security Management
Karen Worstell
January 9, 2007
The update to BS 7799 recently released by ISO/IEC provides an excellent foundation toward defining an Information Security Management System (ISMS). The standard?s recommendations for demonstrating effectiveness of the ISMS based on measurements will promote standardization of information security practice across businesses. The ISO/IEC 27001 (ISO/IEC 27001:2005(E)) standard defines an excellent set of processes that should form the basis of a well-rounded security practice for any agency or enterprise. In particular, it establishes expectations for accountability and evidence of control appropriateness and control effectiveness. These three areas ? process, accountability and evidence ?are discussed in more depth in this research note, along with some suggestions for implementation. In the long term, this standard (along with other information security guidance in FFIEC for financial institutions, NIST 800 for US federal agencies, ISO/IEC 17799:2005, CobiT and ITIL) will enable organizations who desire a competitive advantage for trusted business to claim conformance to an internationally recognized set of well-structured rules to improve process, policy and technology.
Preparation For 9/11 Anniversary
Bob West
September 1, 2006
This article advises companies to commemorate the fifth anniversary of the 9/11 attack on the New York City World Trade Center towers by reviewing and validating their incident response, disaster recovery and business continuity plans. Plans should be reviewed to prepare for the anniversary time frame and also for the longer term.
EMC Acquires RSA Security
Bob West
July 3, 2006
EMC's acquisition of RSA Security in mid-2006 gave EMC an immediate and dominant position in the information security market. In keeping with its evolution from an exclusively storage company to one that provides services for the overall life-cycle of information management, the acquisition will help ensure the integrity of the information stored on its systems. In particular, the identity management, encryption and key management solutions will allow EMC to provide a holistic information management solution. Long-term success will be influenced by the EMC executive team's providing the information security division sufficient resources and independence to pursue best in class information security solutions.
FFIEC Authentication Guidance Update
Bob West
June 7, 2006
On October 12, 2005, the FFIEC updated its interagency guidance (translation: mandate) "Authentication in an Internet Banking Environment" which was originally published in 2001. This update on the state of the U.S. financial services community with respect to progress against the guidance observes that two distinct mindsets exist: just doing enough to satisfy the regulators, and alternatively, designing a solution that will serve as a long-term investment that can help minimize the phishing, pharming and other related issues the market is experiencing. The Office of Comptroller of Currency (OCC), the Federal Reserve, Office of Thrift Supervision, and National Credit Union Association (NCUA) expect financial institutions to achieve compliance with this guidance by December 31, 2006. This may, however, be difficult for smaller institutions. It is quite possible that other vertical markets - especially those fully dependent on eCommerce - will view this as a test bed, follow the financial services sector guidance, and implement stronger methods of authentication. The initiative may also be a catalyst for federated identity initiatives.
Information Security Governance
William J. Malik
August 9, 2006
ISACA has released version 2 of its Information Security Governance: Guidance for Boards of Directors and Executive Management. This article discusses the enhancements made over version 1 in its coverage of seven key elements: governance, policy, business (not technology) architecture, awareness and training, technology, logging/auditing/reporting, revitalization. By deploying an effective governance structure, the enterprise will be on the path towards deploying a comprehensive and efficient information security program.
|