- +
Process Trip 04 February, 2008 13:07:03
Why Maritz Travel revamped key business processes — and how business and IT came together to make it workWhen Rich Phillips became COO OF Maritz Travel about two and-a-half years ago, he sat down and took a hard look at the big industry picture - +
Ticked Off at Tick the Box Mentality 04 February, 2008 13:01:15
Does your executive search firm know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?Does your executive search firm know its MIS managers from its elbow? Does it even know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients? - +
Strategies for Dealing With IT Complexity 24 December, 2007 10:30:47
Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business.Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business. - +
Doing Your Sums on . . . Build, Buy or Rent 05 November, 2007 13:32:30
You’re trying to build a world-class IT team, but everyone’s going after the same talent pool. What mix works best? Should you grow your own, draft your players or barter your way to the line-up you want to field?CIOs should never forget that while new technologies have a maturity cycle, the maturity cycle for human beings in IT is even longer
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Revolutionising Back-up and Recovery
Optimized Back-up and Recovery for VMWare for VMWare Infrastructure with EMC Avamar
Understanding Email Marketing: A Guide for SMBs
Best Practice in Building an Integrated Information Management Strategy
How to Beef Up Your Sales Pipeline
Choices in Storage Architecture for Oracle Environments
A Guide to Next-Generation Backup, Recovery and Archive
Strategies for Eliminating .PST Files
Newsletter Subscription
Top to Bottom Best Practice
Aberdeen says best practices for governing security span a wide range of activities, from board involvement to what happens daily within the enabling technologies that support an organization's missions. In between, security is fundamentally about how people interact with information systems.
More specifically, Aberdeen research shows that firms operating at best-in-class levels emphasize repeatable procedures, effective management of data and knowledge, an efficient and transparent organizational structure and strategy, and enabling automation technologies that assist with responses to business pressures.
"Most share this sentiment expressed by one respondent," Aberdeen says. "'There is no such thing as a silver bullet or a single source for security, and there never will be.' But most organizations automate when speed, business cycles or business seasonality force them. Many of the firms humbly admit their security programs still have a long way to go before reaching their full promise."
Aberdeen emphasizes that enterprises must maintain control and security of networks and systems. "Enterprises are struggling with trying to balance flexibility and agility with managing the risk that comes with unfettered access to information among employees, customers, business partners and suppliers."
CIO magazine polled practitioners and analysts for their own list of network security best practices.
1. Assess Your Risk
You cannot hope to cost-effectively secure the enterprise until you have conducted a comprehensive risk analysis. Seek to adopt a risk management methodology that will let you weigh the risks and costs of enterprise-wide protection. This is turn will help you prioritize the strategies for becoming secure.
"The concept, basically, is 'not all threats are created equal'," BioPassword's Wood says. When Wood became CSO at Microsoft he realized that if he signed up to a pledge to protect the company, he was setting himself up for failure. IT pros know their companies are susceptible and vulnerable to attack. Since no operating system is created invulnerable and no network is created impenetrable, nobody can promise to provide total security, he says.
"I knew I couldn't [completely] protect the company, and I knew if I tried, ultimately something would happen and we would fail," Wood says.
Instead, he took a macro-economic view of security, which involved dividing assets into categories, identifying key vulnerabilities against each asset and then assessing the relative probability of an attack against the detailed mitigation perspective he took into the exercise. Ultimately the team was able to come up with a number for each category that represented a high, medium or low probability of an event. "That allowed us to prioritize, if you will, the strategies for getting healthy or getting secure."
Not only did that let him allocate greater resources to the highest risk, it also gave him a way to communicate to the executives the entire risk or threat profile, so that they could understand which ones were not being acted against.
"In my role the most important thing in retrospect that I did was communicate what we weren't going to protect: the problems that we weren't going to fix, because the ones that you address, everybody knows about. The one you get rewarded for is for the attack that's never successful.
"For example, with respect to susceptibility to mass propagating worm virus, we set up a threshold and said 99 percent of the machines of the company, of which there were more than 300,000, would be protected - patched . . . We knew that 1 percent of machines in the environment would always be susceptible to an attack, whether to a worm or a virus or credential harvesting or otherwise, but what we said was 99 percent would be successful, and we had some strategies around the network to make it less damaging if the 1 percent became infected ultimately."
Consideration of the inherent security risks should become a part of the evaluation of any new technology.
"The most important thing to do before getting into the technology, getting into introducing controls like firewalls and stuff, is to actually understand the risk [of the new technology]," says Neal Wise, a partner with security service provider Assurance.com.au. "The most important thing for an organization to do is a risk assessment activity that allows them to ascertain the critical functions of the organization, and that in turn will identify the critical organizational infrastructure that supports those functions, which will include technology."
More often than not, people will jump immediately to the technology aspect of the solution. Inevitably that may come into play, but without actually having strong planning and having a supporting organizational policy and governance, before actually getting into the technology areas of security, you will be basically investing without actually having a context to make that investment in.
Depending on the size of the organization (some organizations will have internal audit personnel who may do some aspects of the risk assessment), the most effective way for many organizations to conduct a risk assessment is to assemble a group of interested stakeholders from affected areas, including technology, organizational management and finance, to contribute to the overall risk assessment. Security should be a consensus activity, Wise says. One person may have the responsibility for collecting the information, but they should acquire that from all parts of the organization in order to gain the complete picture.
"We tend to measure the value of our investments against the risk in dollars that we can mitigate," American Water's Larson says. "That's the business's decision, but the key point is the quantification of risk avoidance value in our investments."
"Really, what it boils down to is having an operational risk focus and driving the ownership of that risk back into the business, because they're the people who can really make decisions about what is the cost versus the risk," says one Australian CIO. "The IT security people are really just there to . . . facilitate that risk assessment but they're not the people who can be saying yes or no."
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II 05 October, 2007 06:00:00
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #78: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires 28 September, 2007 17:34:25
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #77: Panasonic Speeds Up Trans-Pacific File Transfers, Part III 21 September, 2007 07:00:00
Part three in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #76: Panasonic Speeds Up Trans-Pacific File Transfers, Part II 14 September, 2007 07:00:00
Part two in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #75: Panasonic Speeds Up Trans-Pacific File Transfers, Part I 07 September, 2007 07:00:05
Part one in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
- +
Data-center security tools to not overlook 10 October, 2008 11:37:00
With the rise of security suites, it's time to consider some emerging security tools and rethink othersProtecting a corporate data center is like trying to keep an elephant safe from a swarm of flies. Despite your best efforts, bites happen. As the staples of security -- such as firewalls, antivirus software, spam and spyware filters -- come together in suites of products that allow for sophisticated management, there are other security tools either emerging or worth a rethink. - +
IBM, Secret Service, others study identity/cybercrime issues 09 October, 2008 10:09:00
Center for Applied Identity Management Research organization teams experts in criminal justice, financial crime, biometrics, cybercrime and cyberdefense, data protection, homeland security and national defense.IBM, LexisNexis and the Secret Service are among a group of corporations, government agencies and academic institutions that has formed to study and help solve identity management challenges around cybercrime, terrorism and narcotics trafficking. - +
Strange account management at Amazon 09 October, 2008 09:51:00
A careless login led to the discovery of some strange ccount management practices at one of the Internet's largest retailers.Via the RISKS mailing list comes an interesting tale of poor online account management at a major online retailer. According to Graham Bennett, accounts with Amazon display an odd behaviour that doesn't seem to have attracted much attention in the past. - +
Cambridge lab sets quantum key world record 09 October, 2008 07:51:00
Researchers can now shift encryption keys around at speeds of 1Mbps.The hugely promising security technology of Quantum Key Distribution (QKD) has moved an important step closer to commercialization with the announcement by UK-based researchers that they can now shift encryption keys around at speeds of 1Mbps. - +
Palin hacking charge flawed, lawyers say 09 October, 2008 07:28:00
Case considered a misdemeanor offence not a felony.David Kernell is facing five years in prison for allegedly hacking into Alaska Governor Sarah Palin's Yahoo e-mail account, but lawyers watching the case say that the felony charge against him is a bit of a stretch.
F-Secure achieves excellent results in Internet security suite comparison 10 October, 2008 14:37:00
Lock It Up With Maxtor BlackArmour, Hardware Encrypted Storage Provides Government Grade Security For Consumers 10 October, 2008 09:04:00
Pitney Bowes MapInfo Launches New Version of AnySite 10 October, 2008 05:58:00
IOGEAR Gears Up in Australia 09 October, 2008 20:18:00
Internet Service Providers offer new unlimited Online Backup from F-Secure 09 October, 2008 19:42:00
|
||
|
||
|
|
||
|
Still Sneaking In: The Threats Your Security Tools Aren't Telling You About
Web 2.0 applications are all the rage, offering us tremendous value when it comes to collaboration and communication. They also open us up to new kinds of attacks however, and can cause problems in keeping systems and data secure. Read on to learn about the new attack methods and how you can defend yourself and your business.
Subscribe to CIO
