The Compliance and Security Connection

BS 25999- The Standard and Its Value Proposition

2008-11-20T05:00:00-08:00

BS 25999 became a formal business continuity standard in November 2007. Since then, a very large number of organizations from all around the world in both the public and private sector began evaluating the standard, as well as the value associated with the certification process.

Recently, Brian Zawada, CEO of Avalution Consulting, joined me for a web presentation introducing BS 25999, outlining why it's different from other standards and regulatory requirements, and addressing what an organization needs to do in order to be compliant with its requirements. The presentation also offered some recent observations on how BS 25999 compliance can improve business continuity program performance - even if the organization never pursues certification.

Joining Mr. Zawada was Michael Godin, Senior Systems Engineer with Ecora Software. Michael shared how an automated configuration audit and compliance reporting solution like Ecora Auditor Pro can automate important enterprise configuration audit reporting that will not only aid in your BS 25999 certification process, but will also ensure those standards continue to be sustained.

I'm pleased to let you know that a Flash recording of this presentation is available now. By simply registering here, you will be able to download the recording of Brian and Michael's presentation and be able to download a PDF of the Powerpoint slides they used.

What you will learn by downloading and watching this Webinar:

An introduction to BS 25999
Why BS 25999 is different from other standards and regulations
What a company needs to do to become compliant with BS 25999
How BS 25999 compliance can improve your business continuity program
The importance of automating the discovery and reporting of enterprise configuration attributes for establishing a business continuity program
Establishing policies and rules to measure against current system configurations to ensure BS 25999 standards are maintained

Contributed by Mark Tordoff

Leveraging ISO 27001 for Improving the Security, Compliance and Performance of Information Systems

2008-11-17T05:37:10-08:00

Steve Wright, Senior Manager for Risk & Advisory Services at PriceWaterhouseCoopers LLP, has worked with many international organizations to complete ISO27001 Certification projects over the past eight years and has worked with many of these same corporations to establish information security management systems (ISMS) compliant with Corporate Governance requirements such as - Combined Code, HIPAA, SOX, CobiT, ITIL, PCI DSS, ISO9001 and CMMI.

Recently, Steve joined me to share his conclusions on best practices for "future-proofing" ISO27001 implementations and maximizing ROI. Steve demonstrated how leading organizations are embracing the best practices to achieve regulatory compliance and create a Management System for Internal Control. Steve also covered how to leverage an ISMS for security, risk, compliance and operational benefit.

Joining Steve was Michael Godin, Senior Systems Engineer with Ecora Software. Michael shared how Ecora's Auditor Professional 4.5 can help to establish a comprehensive understanding of your infrastructure's configuration, how to create policies and rules based on ISO27001 to determine the gaps in your present configuration, and how to effectively identify and remediate gaps that may develop to ensure compliance with your standards is sustained.

I'm pleased to let you know that a Flash recording of this presentation is available now. By simply registering here, you will be able to download the recording of Steve and Michael's presentation and be able to download a PDF of the Powerpoint slides they used.

What you'll learn by downloading and watching this Webinar:

How ISO 27001 ISMS is being used today
What some of the challenges of implementing an ISMS are and how are they overcome
How to make an ISMS the platform for the future and maximize your ROI
Identifying cases outside of traditional security and how to choose a platform that will support them
How an automated configuration audit and analytics solution can make ISO 27001 more successful

Contributed by Mark Tordoff

An Update on the Ecora Blog

2008-10-20T13:19:58-07:00

I just wanted to write a brief note to let everyone know that I will be unable to make new posts to the Ecora Software blog for a while due to some new surgery that I will be having this Wednesday that will have me sidelined for quite some time.

I am looking forward to regaining my full health and being able to return and share new thoughts and even new topics with you soon.

Thanks to each of you for taking the time to read my thoughts and especially to so many of you who have taken the time to post comments over the past few years.

Best regards,

Mark

Introduction to Effective Records and Data Management Programs

2008-09-10T02:22:56-07:00

Today at 1pm Eastern, I will be participating in a webinar featuring Rebecca Bates Manno, Ken Tuggle, Bob Webb, and Bob Dibert, who are attorneys with the Louisville, Kentucky office of Frost Brown Todd LLC; and Michael Godin, a Senior Systems Engineer with Ecora Software.

In this presentation, our presenters from Frost Brown Todd will teach you how to avoid the devastating problems that your company may face if it does not implement and maintain an effective records retention and data management program. Specifically, you will learn how to develop an effective records retention and data management program for your company; how to staff your record and data management team; how to avoid obstructing justice in the course of destroying documents and data; and the benefits of having a records retention program in place when (not if) your company becomes involved in an audit, investigation or lawsuit.

Michael will follow our attorney-presenters to share how Ecora's Auditor Professional 4.5 can provide comprehensive reporting of how the infrastructure protecting your data is configured, particularly how to create policies and rules validating system configurations around critical data continue to be sustained, and how to identify changes in your system configuration that could make you vulnerable to an internal or external data breach.

You can register for this session by registering here.

This session covers:

What is a Records and Data Management Program (RDMP)?
Developing an effective RDMP
Implementing the RDMP
Reconciling Record Retention Policies with Obstruction of Justice statutes
The emergency of eDiscovery Law
Avoiding Criminal Conduct Sanctions
Prevention vs. Cure: Understanding the infrastructure surrounding your data

I hope you are able to join us for this important, free presentation.

Contributed by Mark Tordoff

ITIL version 3: One Year Later

2008-09-09T07:56:05-07:00

It's been a little over a year since the introduction of version 3 of the IT Infrastructure Library (ITIL). Gary Anthes did a great job documenting "How to Get More Out of ITIL with Version 3" in the July 21st edition of Computerworld. In today's post, I'd like to share some of the points Gary made that stood out to me.

Before we do that, let's touch on the basic difference between version 2 and 3. Megan Pendlebury, the Service Management Executive with itSMF UK, does a good job of sharing her impressions of what's different.

"V2 took a very process driven view and led to people working within their own silo rather than seeing the entire picture of what was being done within IT and the business they were underpinning. V3 in contrast takes a 'lifecycle' approach to managing services. It's closer aligned to how businesses are actually run, allowing IT to integrate more closely."

According to Pendlebury, the most common comment she is hearing is "we are still working on V2 and will not be looking at V3 for a while." Pendlebury responds to this by saying, "the truth of the matter is that if you are implementing V2 you are already implementing V3." This is reinforced by comments made in Anthes' story by Phyllis Drucker, director of consolidated services at AutoNation Inc. She said, "We'll lay v3 over our processes and see if there are any gaps", as opposed to scrapping their work on implementing V2.

Besides not abandoning V2 efforts, Anthes offers 4 other keys to gaining value from ITIL v. 3.

Do get started on V3. It's worth it.
Look at the tools.
Prepare for culture shock.
Don't expect to find everything in v3 - or like everything you find.

Anthes' article is full of valuable input from a number of IT professionals regarding their impression of V.3. Here are some to consider:

"What's so nice about v3 is that it really takes you back to the basics of business, and then you design your service to meet those." Alan Claypool, manager of business applications, city of Tampa, FL

"We got into ITIL, and by our third year, we realized that our tools were not allowing us to do some of the things we wanted to do. In hindsight, we could have made much faster progress has we had better tools." Sheri Cassidy, manager of process engineering services, Progress Energy Inc.

"We've all talked about the loss of service in the U.S.. I think this [ITIL v3] is a way to structurally put it back in place." Dale Ott, director of service management, Sarasota County Government and Schools, Sarasota, FL

If you are looking for more information on ITIL v3, contact the U.K. Office of Government Commerce, organizations like Pink Elephant or user groups like IT Service Management Forum International.

If you are looking for a tool to help you with infrastructure configuration and change management, consider requesting a demonstration of Ecora Auditor Pro. It will help you lay a solid foundation for adopting ITIL v3 in your organization's IT infrastructure.

Contributed by Mark Tordoff

Basics on the Federal Desktop Core Configuration standards

2008-09-08T14:42:58-07:00

It was the end of March that all federal agencies were supposed to meet the Federal Desktop Core Configuration (FDCC) policy for all Microsoft Windows XP and Vista systems by using the Security Content Automation Protocol, otherwise known as SCAP (pronounced S-cap).

Each agency is required to submit their FDCC reports to the National Institute of Standards and Technology (NIST). The FDCC policy came about using an interesting collaboration of numerous agencies working with Microsoft, including NIST, the Department of Homeland Security, the Defense Information Systems Agency, the National Security Agency, and the US Air Force.

While the title of the policy would lead you to believe it is primarily focused on the respective Microsoft operating systems, the policy actually extends to cover assorted components such as firewalls, antivirus, web browsers, and more. In an article appearing in the May 23rd issue of Processor, Ron Gula, chief executive officer and chief technical officer for Tenable Security speaks well of SCAP in comparison to the Payment Card Industry Data Security Standard (PCI-DSS) when he says, "SCAP has very specific settings that are applied to specific operating systems. It's taking the ambiguity out of system configurations."

According to the article, written by Sandra Kay Miller, here are some specifics on SCAP:

"SCAP is a suite of open standards that function together to deliver automated vulnerability management, measurement, and policy compliance evaluation. The XCCDF (eXtensible Configuration Checklist Description Format) and OVAL (Open Vulnerability Assessment Language) are assessment protocols. The reference protocols include the CCE (Common Configuration Enumeration), CPE (Common Platform Enumeration), CVSS (Common Vulnerability Scoring System), and CVE (Common Vulnerabilities and Exposures).

SCAP will allow security technologies to exchange systems and vulnerability information through a common format, thus allowing individual agencies the flexibility to use configuration management and security solutions that best meet their needs and budgets."

While the FDCC was established for government agencies to establish desktop configuration standards, the SCAP standards offer a lot of value to nongovernment organizations too. According to Gula,“You’ll see organizations like credit unions and healthcare agencies—those who work with the government—implementing FDCC." It is likely that many government organizations will make this a prerequisite for doing future business with their agency, especially if any electronic data is required to be shared between the two parties as part of doing business.

The configuration audit and compliance reporting capabilities of Ecora Auditor Pro can aid both government agencies and non-government organizations in assessing current desktop configurations and identify variances from the SCAP standards. To learn more about the Federal Desktop Core Configuration policy and how to audit your desktop configurations against SCAP standards, you can view this web recording on Standardizing Windows Desktop Configurations.

Contributed by Mark Tordoff

Virtualization continues to grow, so how do you control the sprawl?

2008-09-05T13:42:41-07:00

According to recent research from IDC, "the pace of adoption of virtualized servers is incredibly rapid among organizations that are using virtualization, with 35% of servers purchased in 2007 being virtualized and 52% of those bought in 2008 expected to be so." Now, while this was research of the European market, it is pretty easy to assume that these increases are probably representative of the US market as well, with possibly higher percentages. However, while these numbers reflect the number of servers purchased, it doesn't begin to capture the number of Virtual Machines being deployed on those servers.

The recent edition of InformationWeek featured an article by Joe Hernick and Lorna Garey discussing why it is "Time to Halt Runaway VM Sprawl." At the very beginning of the article, Hernick and Garey ask the question, "How will you audit for compliance if you don't know where all your production VMs reside, or even how many you have?"

As good as that statement is, it really only addresses have of the compliance concern surrounding virtualization. In the IDC study, their research showed that "the majority of virtualization is still for test and development and for network server applications." In many companies, this likely means that some customer data, including potential data that falls under compliance regulations, is stored in virtual test environments.

In addition, the IDC research also found that "virtualization is growing as a datacenter strategy in itself rather than as part of other projects." Why is that significant? It means in a growing number of IT departments, not only is the test environment virtualized, so is the production environment and, in all likelihood, so is the back-up data center used for disaster recovery and business continuity purposes. This means you need to understand how VMs are configured in each of these three virtualization environments if they hold data that falls under any of a growing number of government and industry regulations.

If you are just transitioning from physical to virtual servers, Hernick and Garey offer these recommendations:

Admit you need to put a policy in place for how physical to virtual migrations are to be executed
Live by the credo that "a virtual server is still a server", with all the policies and security and management concerns of a physical box
Build a mission statement laying out the organizational goals for virtualization
Inventory your physical and virtualized environments (Ecora Auditor Pro can be a tremendous help here)
Overlay compliance and data security policies and organizational and management requirements (again, Ecora Auditor Pro and its Executive Dashboard and Compliance Center can be a real asset here)
Put strict controls in place on VM creation (Auditor can also help in identifying unapproved VMs that may be deployed)

As IT becomes more and more dependent on virtual environments, especially with the availability of Microsoft's Hyper-V in addition to VMware ESX, as well as the growing number of other players in the virtualization space, it will become increasingly more critical to be able to quickly access the number of VMs in your environment, understand how they are configured, and be able to track changes to those configurations on an ongoing basis.

Contributed by Mark Tordoff

Data Loss Prevention is an International Issue

2008-09-03T09:49:53-07:00

Steve Wright is a Senior Manager for Risk Assurance Services with PriceWaterhouseCoopers in the United Kingdom. Steve and I have worked collaboratively over the past year on a number of web presentations related to issues related to ISO 27001 and the PCI Data Security Standard. In fact, Steve will be doing a presentation with Ecora on How companies are using the PCI Data Security Standard for improving the Security & Performance of Information Systems on September 24th at 10am Eastern. You can register here.

Recently, British papers reported on the loss of a significant number of criminal records from the Police National Computer. In response, Steve was willing to share these thoughts on the subject of preventing data loss.

"Unfortunately, Friday 22 August 2008, we once again awoke to the news of yet another data loss incident. This time, it is the personal records and intelligence on tens of thousands of UK prisoners, including secret dossiers on the UK’s 10,000 priority criminals – a kind of who’s who in the criminal world. Such a lapse in basic data security also puts at risk police informants, as a number of unspecified people included in the data breach were enlisted on the drug intervention programmes.

This makes the data highly valuable in underground world of data intelligence and literally can put ‘lives at risk’. The incident appears to involve another third party responsible for handling the data, but alas, the data had been unencrypted for data transfer reasons – the very opposite of when data should have remained encrypted.

So what could of have been done to prevent such an incident in the first place?

Well, it may be easy with hindsight to point the finger and cry negligence. The Home Office investigation will no doubt come to some conclusions, but it does not matter now, for 88,000 prisoner records is currently unaccountable for. One possible solution would be for the Home Office to look at what could have been done to prevent such a loss occurring in the first place – also known as a Data Loss Prevention (DLP) review. A DLP review could have possibly identified areas of potential weakness in either the Home Office or its trusted third parties key data handling processes and hopefully mitigated or managed the risk accordingly.

What is Data Loss Prevention?

DLP addresses three fundamental questions:

(1) Where is my confidential information being held? – This includes the data’s entire lifecycle or journey and where the data is being stored (third parties, off-shoring, outsourcing)

(2) How is the data being used? – This should include why, when, what and who accessed it

(3) How can we best prevent data from being lost? – What are the risks and thus what possible mitigating actions could be deployed to avoid loss, theft or compromise?

At the heart of Data Loss Prevention is understanding what the value of the data is to the organization, how everyone is responsible for ensuring its ‘health and safety’ – in essence, this can only be achieved through a comprehensive understanding of the risk (risk analysis) facing your data, and educating the people who handle or access it, i.e. mandatory training for all people who come into contact with it.

This may appear like a basic concept, but it is one that is often neglected - as with treating any symptoms, understanding the cause is paramount. Understanding why data is important to others and how easily it can be lost, compromised, manipulated or stolen, is a critical part of the process of understanding DLP and winning the ‘hearts and minds’ of every employee, third parties and person who comes into contact with the data.

Either way, once the UK Home Office has completed its investigation and lessons learnt, we can be pretty much guess what some of the findings and recommendations will be – Possible Finding; ‘a systematic failing of following basic procedure, further exacerbated by the lack of adequate training on data security procedures. In other words, a pragmatic approach to DLP may have avoided such an incident; and by ensuring all persons who come into contact with the data (i.e. third parties) receive an appropriate level of mandatory security and data handling training, such lapses in basic data security may be avoided in the future."

An item that I might add to Steve's comments are the essential need to understand how the infrastructure is configured around where key data is stored and accessed, as well as the applications that use this data. Without ensuring that access is limited to authorized personnel only and that appropriate security steps are employed related to password length, complexity, and frequency of updating, especially those for administrative accounts, any data is prone to be inappropriately access and potentially leveraged for criminal activity. As we'll demonstrate in Steve's upcoming presentation, Ecora Auditor Pro can automate the identification of current users, password information and NTFS share and permissions so that you can quickly remediate situations that don't meet your security policies and, in all likelihood, external government or industry regulations.

Contributed by Steve Wright, Senior Risk and Data Security Practitioner at PwC and Mark Tordoff

What the Current Economic Uncertainty Means for IT

2008-09-02T06:00:00-07:00

This has been a difficult period of time for all of us, on both a business and personal level. The rising cost of fuel has impacted us all, and nearly every region of the county has faced some type of significant weather-related challenge in the past six months.

Now that the weather has improved and fuel prices have moderated some, people have been distracted by the current Olympic Games in Beijing, as is probably evidenced by the amount of YouTube or NBCOlympics.com hits your network has seen in the past two weeks. Throw in the typical summer vacations and the upcoming Democratic and Republican conventions to kick-off one of the most significant Presidential elections in decades, and it’s clear that the upheaval to the economy isn’t going to end immediately.

The Impact on IT Budgets

According to a recent survey by InformationWeek, “of more than 600 business technology executives who responded to our most recent survey, 40% say they decreased IT spending this past quarter relative to their original 2008 budgets; for companies with annual revenue of more than $500 million, it's 50%.”

The survey indicates that budgets going forward this year are not likely to grow. In fact, a large percentage said they were expecting cutbacks. According to the article, “39% say they're cutting, and those cutbacks could be significant, with 19% saying their IT spending this year will be down more than 10%.”

What to Consider When Making Cuts

If you are faced with the unenviable task of reducing an IT budget that you already scrutinized before you submitted it, what are some things you should consider? According to Laurie M. Orlov of CIO Magazine, you should consider the future.

In her article, When Cutting IT Costs, Look to the Future, Ms. Orlov talks about some of the mistakes that were made following the dotcom bust and the Y2K spending hangover and suggests different tactics should be considered in the current economic downturn.

Here are three suggestions she has:

Protect hard-to-fill roles
Bring on the interns
Solicit ideas from your staff and peers

Those work well for maintaining some of the human capital of the organization and maintaining a solid workforce, but it doesn’t begin to address the need to continuously maintain business services , keep corporate and personal data secure, and continue to meet a growing number of compliance mandates aimed at IT.

In the same issue of CIO Magazine, Mack Murrell, Dow Chemical’s vice president of IT, shares some ideas that begin to shed light on some technology decisions you can make to help in tight economic times like we’re in now.

Here are some of the key items Murrell shares:

“We look at cost management from a strategic point of view. I’ve got a three-to-five year look ahead on costs.”
Dow has controlled IT costs by maintaining an “appropriate” level of IT standardization
IT customizes solutions only when necessary

One key, as the article states, is certainly standardization. In this case, the reference was to standardizing of hardware and applications. But, when you are standardizing your infrastructure, it is also important to standardize how they are configured.

Standardizing configurations ensures that your infrastructure will perform at its optimum potential and that critical business services will be available for both your external and internal customers. However, this requires the ability to know how you expect systems to be configured, can easily document how they are really configured, and what discrepancies exist between the two so that corrections can be made.

In addition, nearly every organization faces multiple internal and external audits of their IT infrastructure. A lot has changed since the passage of Sarbanes-Oxley back in 2002. Audit firms have spent a great deal of time and effort over the past six years hiring and training auditors to be much more knowledgeable about the type of configuration controls that should be in place to reduce the potential risk that might otherwise exist to regulated data in your infrastructure.

Beyond that, Sarbanes-Oxley is no longer the only audit concern facing IT. In fact, Gartner analysts are now forecasting that “by 2012, the number of regulations that directly affect IT operations will double.” In challenging economic times, it is vital that you can respond to various audit demands without the need for a lot of manual effort or external sub-contractors that you can’t afford.

In addition to the suggestions made by Ms. Orlov and Mr. Murrell, if you don’t have an automated solution for effectively documenting and auditing the configuration attributes across your enterprise, let me suggest requesting a personal demonstration of a tool like Ecora Auditor Pro.

Contributed by Mark Tordoff and Bryan Cote

Top 10 eDiscovery Trends

2008-08-29T06:00:00-07:00

I had so much fun with Wednesday's Top 10 list, that I thought I'd end the week with another.

Over the past few months, I've had the privilege to host three separate webinars with William Morris and Jane Hils Shea from Frost Brown Todd LLC and Sunil Bhargava from Intellitactics.

William is an Associate in the Intellectual Property Department of Frost Brown Todd and, back in April, he addressed the issue of How You Can Secure the Infrastructure Around the Data You Must Save in a webinar with Ecora. In June, Sunil, who is the Chief Technology Officer at Intellitactics, joined us to highlight 5 Ways to Avoid High Data Loss Litigation Fines. Just last week, Jane, the chair of the Privacy and Information Security Law Practice Group at Frost Brown Todd LLC, share important information related to Current and Emerging Issues in Data Privacy Protection Law. You can click on each link to register and watch any of the presentation recordings.

Given the importance of IT documentation to litigation cases outside of the typical regulatory compliance headlines, I was pleased to see that Clearwell Systems, Inc. shared a paper on what they feel the Top 10 Trends in e-Discovery are. You can accesss the paper here.

1. "E-Discovery Teams" are Coalescing -- Recognizing that e-discovery is changing from an ad-hoc event to a formal business process, both law firms and corporations are beginning to develop cross-functional "E-Discovery Teams" to help navigate the transition from reactive fire drills to proactive management.
2. Early Case Assessments Become Mainstream -- Understanding where a party stands at the earliest stages of litigation is critical to the outcome of a case. By selecting the right technology and implementing tools optimized for e-discovery analysis, legal professionals are better able to find and interpret key case facts from mountains of electronic case data.
3. "Search" Goes Under the Microscope -- Recent case law scrutinizes attorneys who navigate the search process alone; consensus between parties is critical. For a keyword search to pass judicial muster, it must be an agreed upon "Collaborative Search Approach" or adopt a "Best Practices & Data Driven Search Approach."
4. E-Discovery Moves In-House -- Corporations are bringing pieces of e-discovery in-house to reduce costs and streamline the process. Certain tasks will likely remain outsourced (e.g., forensic collection, large scale distributed review), whereas other routine tasks are quickly being brought in house (e.g., searching, culling, processing, analysis).
5. Review Mantra: "Smarter not Harder" -- Reducing the size of case datasets by removing irrelevant documents has been proven to lower processing costs by up to 80 percent, and reduce review workloads by up to 90 percent. In-house and outside counsel have significantly fewer documents to review, thus lowering resource requirements and cost.
6. The Standard of Care is Rising -- Rapidly -- The bar and bench is now using a common language around a new set of e-discovery challenges that did not exist until recently. As a result, attorneys and the parties they represent are getting fined and sanctioned for e-discovery negligence and abuse that would have been overlooked a year or two ago.
7. ESI Expands Well Beyond Email -- Legal professionals recognize the need to choose an e-discovery method that is flexible enough to encompass emerging communication technologies such as blogs, Wikis,voice over IP (VOIP), Webmail services, text and instant messaging, etc.
8. Custodial Data Increases by Orders of Magnitude -- Increasing volumes of data have reached a critical "tipping point," placing greater importance on data searching and aggressive use of ECA to quickly cull down data sets, in addition to automated document review methodologies.
9. Non-Manual Document Review -- Rising costs and compressed production deadlines are influencing attorneys to employ an iterative searching process that automatically weeds out confidential and other non-responsive and/or privileged documents prior to production.
10. Vendors Struggle to Adapt to the Evolving Landscape -- E-discovery has become more complex and specialized; thorough research must be conducted prior to selecting a solution.

While much of what Clearwell addresses in the trends is specific to their offering, there are two things that are important to grasp when looking at e-Discovery that may be required as part of current or future litigation.

1. You will potentially need to store sensitive data in your systems longer than you have typically done, so that it will be available to produce in the event of litigation. Because of other potential regulations regarding the security of this data, you will need to be especially diligent to put proper safeguards around any part of your infrastructure that is involved in the use, transmission or storage of that information.

2. Often, rulings in litigation cases involving electronic information are determined based on the ability or inability of defendent to produce evidence to the court supporting that their systems were properly documented or that appropriate identity and access policies were actually being deployed and maintained in their infrastructure. Failure to continually document your infrastructure and validate the configuration setting against appropriate information security standards will likely cost you significantly, not only in fines but in court-imposed, mandatory ongoing audits. This is where an automated configuration audit and compliance reporting solution like Ecora Auditor Pro can yield tremendous benefits, not only to daily operations for identifying the root cause of system outages, but for avoiding potentially costly litigation settlements and reputation-bruising news headlines.

Contributed by Mark Tordoff