- +
Process Trip 04 February, 2008 13:07:03
Why Maritz Travel revamped key business processes — and how business and IT came together to make it workWhen Rich Phillips became COO OF Maritz Travel about two and-a-half years ago, he sat down and took a hard look at the big industry picture - +
Ticked Off at Tick the Box Mentality 04 February, 2008 13:01:15
Does your executive search firm know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?Does your executive search firm know its MIS managers from its elbow? Does it even know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients? - +
Strategies for Dealing With IT Complexity 24 December, 2007 10:30:47
Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business.Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business. - +
9 Paths to Higher Performance 10 December, 2007 14:09:23
When an organization brings together talented people in a creative, collaborative environment it fosters a culture of high performance, which in turn leads to superior business resultsLike high-achieving individuals, some organizations seem to have the Midas touch. Virtually every initiative they touch earns them gold and even those that fail never seem to cost them much of anything at all - +
Doing Your Sums on . . . Build, Buy or Rent 05 November, 2007 13:32:30
You’re trying to build a world-class IT team, but everyone’s going after the same talent pool. What mix works best? Should you grow your own, draft your players or barter your way to the line-up you want to field?CIOs should never forget that while new technologies have a maturity cycle, the maturity cycle for human beings in IT is even longer
- +
Can Macs conquer the enterprise? 11 January, 2008 10:55:53
The field is wide open for a Macintosh insurrection on the business desktop. It could happen, but probably won't. Here's why.If Apple were a football team, the New England Patriots would have had some serious competition this year. - +
10 things we hate about laptops 16 November, 2007 12:40:09
Sure, laptops have revolutionized the way we compute. That doesn't mean they don't drive IT bonkers.Damaged. Lost. Stolen. Too big, too small. Insecure and unreliable. And just plain annoying. If you're in IT, there's just not much to like about laptops.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Newsletter Subscription
Despite some progress in recent years, most US federal agencies still have significant gaps in their information security controls, according to Gregory Wilshusen, director of information security issues at the Government Accountability Office (GAO). In testimony before the House Committee on Oversight and Government Reform, Wilshusen said that continued security problems in several key areas — including access control and configuration management — pose a clear danger to the confidentially, integrity and availability of critical government systems and data. In an interview, Wilshusen said the problem may have to do with the way agencies are dealing with the Federal Information Security Management Act (FISMA).
Excerpts from that interview follow:
What should US federal agencies take away from your testimony?
The key message to take away from my testimony is that agencies need to move away from mere compliance with the FISMA requirement and focus on effective security. One of the things we found is that while agencies are increasingly performing a number of different types of control activities on a greater percentage of their systems and personnel, many of these controls are not effectively implemented. What we got are information security reviews. For example, under FISMA agencies are reporting that an increasing number of their systems have been certified and accredited. For 2006, I think it increased up to 88 percent of all US federal systems.
But the IGs [inspectors general] at 10 of the agencies reported that the quality of the agency certification and accreditation process was either poor or failing. When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited. Part of it, I think, is just that agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect. Whether agencies are focusing on just performing those activities and taking more of a checklist approach in order to get a higher FISMA grade is one issue. If that is what they are doing, they are not going to enjoy the benefits of implementing the processes that result in stronger security.
What does certification and accreditation entail?
Certification is a process where an agency conducts a risk assessment, identifies controls that should be implemented to mitigate those risks and develops a plan to test those controls to see if they are operating effectively. It is a process where they provide training for users of the system and have a plan for continuity of operations for that system. All of this should be done before a system is placed into operation. Once that certification process is gone through, a senior high-ranking official at the agency is supposed to review the certification package and then either authorize the system for operation or not.
Every agency has to go through a certification and accreditation process, not only at initial deployment, but also every three years thereafter or whenever there is a major change of the system. But what we are finding is that agency security testing and evaluation procedures are not very effective. A lot of times, they are not identifying the vulnerabilities that we do when we are testing and evaluating the security controls an agency has implemented. In part, that may be because of the scope of their testing or the type of testing they do. Or maybe their testing is interview-based versus actually going out to check the configuration on specific devices. What we found is that agencies are increasingly implementing FISMA controls, but the performance metrics that are being used for the most part don't really measure the effectiveness of the controls - just merely whether or not the agency implemented it.
In your testimony, you mentioned the need for a common framework that agency inspectors general could use to evaluate and report on the state of security within that agency. Why is there a need for this?
There are two parts to each agency's annual FISMA report. One is what the agency CIO submits, and one is what the agency IG submits. Our analysis showed that the IGs do not really have a common framework for conducting these independent evaluations required by FISMA. One of the things we found is that the scope of some IG [evaluations] were very detailed and identified a number of vulnerabilities and reported on those. Some of the other agency IGs evidently did not do as detailed a review. That kind of makes it a little harder to have a meaningful comparison across agencies and over time. So that is one of the reasons why we are proposing a common framework [that] would identify the type of testing that should be performed and the level and the detail those tests should be performed at. There is a precedent for this. The GAO and the PCIE [President's Council on Integrity and Efficiency] came up together with a common methodology for conducting financial statement audits of the federal government. Something similar might be appropriate for assessing the information security at these agencies.
Soon after the breach at the US Department of Veterans Affairs last year, the Office of Management and Budget (OMB) asked agencies to implement measures to protect personal data. How have agencies responded?
We have a couple of ongoing jobs right now where we are assessing agency efforts at protecting personally identifiable information. We also have another engagement looking at an agency's use of encryption. The objective of those reviews is to determine what policies exist that agencies are implementing to protect personally identifiable information. I cannot get into the results right now because the work is ongoing. What we can say is that agencies have taken note of those [OMB memos] and are working towards implementation.
Another initiative that the OMB is now requiring agencies to undertake, which I think is a very positive step, is the use of common security configurations [on all agency systems]. It is based on an initiative started by the US Air Force in which they worked with Microsoft to ship what they called "secure configurations" on each issue of Microsoft Windows that was shipped to the US Air Force. Now they are trying to do that on a government-wide basis. I think that's a very positive thing. Many of the vulnerabilities we identify are because the operating systems are not securely configured. Usually, vendors set their operating system configurations in the least secure manner in order to facilitate installation and implementation. So if you are able to have these common security configurations implemented on your systems at the point of installation, that's going to help.
Many of the concerns raised in your testimony are the same as those raised in previous GAO reports over the years. Are you surprised at all?
Am I surprised? No. Implementing information security is a very challenging endeavour these days — particularly with the increased demand for interconnectivity and information sharing, the complexity of the computing environment, and the changing nature of threats and vulnerabilities at many agencies. While I won't say I am surprised, I will say this has been a government-wide high-risk area since 1997 and remains so today.
2008 CIO Summit
19th August, 2008 Four Seasons Hotel, Sydney Developed in partnership with CIO Magazine, IDC, INTEP and the CIO Executive Council.
The world of the CIO is extremely complex and diverse. Multiple priorities demand attention and decisions are needed instantly. Individual teams need to be driven towards common goals, and businesses strive to become more mobile, agile and responsive. For CIOs, the challenge never ends.
Every year the CIO Summit identifies what is top of mind for CIOs across Australia and New Zealand, and offers insight for CIO benchmarking and vendor strategic planning alike.
Recent IDC research shows that over 59% of CIO's believe that 'to achieve their business strategies, technology should be used more aggressively than today.'
Join us on August 19th to discover how this is possible with the latest technologies including Virtualisation, Web 2.0, IP Surveillance and Software as a Service (Saas).
Click here for more information.
Please email Denyse_Robertson@idg.com.au for further information.
- +
CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II 05 October, 2007 06:00:00
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #78: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires 28 September, 2007 17:34:25
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #77: Panasonic Speeds Up Trans-Pacific File Transfers, Part III 21 September, 2007 07:00:00
Part three in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #76: Panasonic Speeds Up Trans-Pacific File Transfers, Part II 14 September, 2007 07:00:00
Part two in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #75: Panasonic Speeds Up Trans-Pacific File Transfers, Part I 07 September, 2007 07:00:05
Part one in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
- +
DNS error brings Sophos antivirus updates to a halt 05 September, 2008 13:40:00
Optus, Internode and Equinix affected among others.A sporadic Domain Name Server (DNS) error has blocked Sophos anti-virus updates around the world. - +
Information security governance: Centralized vs. distributed 05 September, 2008 10:15:00
Should security policies, procedures and processes be managed within a central body, or distributed at an individual level? You need to find the middle ground.The management of information risk has become a significant topic for all organizations, small and large alike. But for the large, multi-divisional organization, it poses the additional challenge of determining how to deploy an information security governance program among what are often disparate business units. Should the policies, procedures, and processes that define the program be developed and managed within a central, corporate body? Or perhaps responsibility would be better placed at the individual unit level? Is there a workable middle-ground? - +
Ouch! Security pros' worst mistakes 04 September, 2008 08:05:00
We've all done regrettable things on the job, but does any valuable wisdom come of it? Four security pros candidly explain their biggest blunders and what they learned in the processIt was a mistake so bad the person who made it asked that his name and company not be mentioned here. Let's call him Frank. - +
Security ROI: Fact or Fiction? 03 September, 2008 08:32:00
Bruce Schneier says ROI is a big deal in business, but it's a misnomer in security. Make sure your financial calculations are based on good data and sound methodologies.Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable. - +
Information Security and the Importance of Context 01 September, 2008 10:00:00
Those entrusted with information security must raise their contextual awarenessWhen the US Transportation Security Administration (TSA) was first created, it created a sudden need for tens of thousands of screeners. Getting a job as an airport screener was a pretty easy process. It seemed as though if you had a pulse, you were in. Jump forward to 2008 and becoming a screener is a bit harder as the TSA has instituted background checks, has upped the educational requirement to include a high school diploma or GED, and added other significant requirements.
Viva la Verticals! Key to Vendor Growth is Through Vertical Market Opportunities, Says IDC 05 September, 2008 11:05:00
F-Secure delivers fastest protection in the online world 04 September, 2008 16:50:00
Rogue security apps dominate Fortinet's Aug 2008 IT threat report 04 September, 2008 16:00:00
IntraPower Signs Deal with Australia’s Largest Service Station and Convenience Store Network 04 September, 2008 10:07:00
TANDBERG Begins Desktop Videoconferencing Roll-Out at New England Credit Union 03 September, 2008 16:01:00
|
||
|
||
|
|
||
|
Why Security SaaS Makes Sense Today
Corporate IT teams are waging a significant security battle on two fronts these days: stopping attacks via the Web and through email. Security SaaS can solves these problems and more. Read on to discover 7 reasons why security SaaS makes sense for your business.
Subscribe to CIO
