Challenges to Security Management in Companies with Global and High-Risk Operations
Congratulations! You are a successful security professional in an organization that has a global footprint. Accordingly, in your role of security manager you have just been advised that your company will build a chemical facility in Colombia, and you now have the responsibility and obligation to ensure that your company's people and assets are adequately protected. Whether you have had international security experience or not, you are about to get an education in the ups and downs, the ins and outs, of dealing with people and projects operating outside of the United States of America or wherever you country of origin might be. You are faced with major opportunities and gigantic challenges. So, what to do? Read on ...
Five Ways to Increase Operational Efficiency with Alert Management
An alert management platform empowers companies to target actionable information from IT applications and systems automatically to the employee who can resolve the issue--escalating as necessary. Effective alert management provides the tools to access internal systems and address events from a mobile workbench as well as resolve issues from any web-enabled mobile device. Process acceleration and service improvements can help resolve incidents an average of 40 percent faster, saving up to millions of dollars annually. There are five ways that implementing alert management can immediately increase operational effectiveness across the enterprise--including process and efficiency improvements in incident, service, and change management--while significantly reducing costs.
Ten Steps to Sarbanes-Oxley Compliance
One problem with the implementation of SOX is that it tends to set a standard for compliance that may be inadequate. Meeting SOX standards--i.e., passing 404--does not imply that a firm or an IT department has the processes in place required to manage its business. Nor does it mean that an optimal level of control exists anymore than having a pulse signifies good health. SOX compliance is the minimum standard, not an optimum standard. Regardless of your firm’s current maturity level, you will need to demonstrate SOX compliance efficiently and honestly. This article describes the typical steps required to pass section 404.
Getting Started with Vulnerability Management
Vulnerability management (VM) is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This is a broad definition that has implications for corporate or government entities. It is not a new discipline, nor is it a new technology. This vital function has been a normal part of hardening defenses and identifying weaknesses to systems, processes, and strategies in the military and in the private sector. With growing complexity in organizations, it has become necessary to draw out this function as a unique practice complete with supporting tools. Listen as Park Foreman discusses how to get started.
Rogue Security Software Dupes Users
According to the Symantec Report on Rogue Security Software, 43 million users fell victim to rogue security software scams between June 2008 and June 2009. During this period, Symantec observed 250 distinct security software programs that were marketed and advertised as legitimate but that were, in fact, rogue security applications. Users either installed this software manually, believing it to be legitimate, or the software automatically installed when the user visited a malicious website. To avoid becoming the next victim of a rogue security software scam, your users can use these tips to identify such threats and know how to mitigate their risk.
Stretching the IT Budget: Look Beyond the Obvious
IT departments willing to look beyond the surface and the obvious can often eliminate apparent tradeoffs without having to choose one side or the other. When faced with a situation that appears to force a tradeoff, try to examine the problem from a different angle. Taking this fresh-thinking perspective can stretch the IT budget to achieve goals that you might otherwise forgo in an environment of severe financial constraints.
The Evolution of Video Surveillance Systems
This excerpt from Intelligent Network Video: Understanding Modern Video Surveillance Systems by Fredrik Nilsson and Axis Communications outlines the evolution of video surveillance systems. It explains different system configurations, from fully analog to fully digital, along with the benefits of each configuration. The systems described in Sections 2 and 3 constitute partly "digital" video systems. Only the systems described in Sections 4 and 5 are true network video systems in which video streams are continuously being transported over an IP network, providing full scalability and flexibility.
The Keys to Intergenerational Harmony
Most of what's been written about multiple generations working side by side has come from those of us who are considerably older (and more experienced) than our Gen X and Gen Y counterparts. In this article, Sheryl Lindsell-Roberts and Nancy Settle-Murphy sought the perspectives of some of their Gen X and Gen Y colleagues. After all, for all of the wisdom we older generations think we have to offer, the Gen X and Y folks of the world have a lot to teach us, too.
12 Dangers of Endpoint Security
2010 promises to be filled with new technologies giving SMBs access to a growing variety of IT tools to improve productivity, such as netbooks, smartphones and cloud computing-based services. But without adequate endpoint security best practices in place, a business leaves itself open to external and internal threats that can cripple it. To enable SMBs to get maximum benefit in 2010 from these technologies, Symantec has developed a list of the "12 Dangers of Endpoint Security" to help SMBs and their solution providers identify and thwart them.
Why Are Information Technology Controls and Audit Important?
The role of IT control and audit has become a critical mechanism for ensuring the integrity of information systems and the reporting of organizational finances to avoid and hopefully prevent future financial fiascos such as Enron and WorldCom. Global economies are more interdependent than ever and geopolitical risks impact everyone. Electronic infrastructure and commerce are integrated in business processes around the globe. For the IT auditor, the need for audit, security, and control will be critical in the areas of IT and will be the challenge of this millennium. There are many challenges ahead; everyone must work together to design, implement, and safeguard the integration of these technologies in the workplace. The chapter from Information Technology Control and Audit, Third Edition by Frederick Gallegos and Sandra Senft explains why.
The Internet Security Landscape: A Look Back at 2009 and Predictions for 2010
It's been said we should learn from the past, live in the present and plan for the future. Symantec Security Response's top researchers analyzed the data they researched over the past year and compiled a list of the top security trends they saw from 2009. In their quest to stay ahead of the bad guys and anticipate security protection needs for its customers, they also theorized on what they expect to see in 2010. One thing is for certain, Internet security threats are not diminishing or going away-we expect to continue to see an increase in sophistication of security threats and social engineering tactics in an attempt to victimize computer users.
Improving Performance in Troubled Times through Distance Learning
This article maps out several important steps to creating a successful multifaceted distance learning program. The starting premise: Simply throwing a slide presentation onto a website, while it may be fast and inexpensive, almost never achieves the intended results. Instead, it is a thoughtfully-created program that encompasses a variety of learning activities that can cultivate skills and accelerate time to practical application.
Introduction to Risk Analysis
Risk management is a process that provides management with the balance of meeting business objectives or missions and the need to protect the assets of the organization cost effectively. In this period of increased external scrutiny due to the myriad questionable management decisions and the corresponding legislative backlash, risk management provides management with the ability to demonstrate actively due diligence and how they are meeting their fiduciary duty. This chapter from How to Complete a Risk Assessment in 5 Days or Less by Tom Peltier examines how risk analysis helps managers meet their due diligence requirements.
Crime Prevention through Environmental Design
This is an introduction to crime prevention through environmental design (CPTED), which is the "proper design and effective use of the built environment that can lead to a reduction in the fear and incidence of crime, and an improvement in the quality of life." CPTED encompasses (1) the criminal offender perspective regarding an environment and the risk of getting caught when committing a crime and (2) the social dynamics, sense of ownership of the environment, and their associated protective actions by persons who work, live, or traverse the environment en route to another destination.
Data Protection: Where the Problems Lie
This article looks back at the foundations of data protection. It discusses how the introduction of RAID technology changed data protection and why RAID alone is not enough. It then discusses what needs to be done to provide better logical data protection. It closes with why disaster continuity faces issues related to cost, distance, and under protection and some recommendations for improvement.
The Insider Threat: A View from the Outside
Most employees and contractors are trustworthy and contribute their energy everyday towards the company mission. However, unexpected, disappointing events can cause individuals to perform criminal activities and they are sometimes unaware of the magnitude or the consequences of their actions. To provide adequate information assurance, special attention to the insider threat should be built into our security programs.
Secure Database Design Principles
This chapter from Database and Applications Security: Integrating Information Security and Data Management
by Bhavani Thuraisingham describes design principles for Multilevel Secure Database Management Systems (MLS/DBMS). In particular, it provides a taxonomy for the various designs for a MLS/DBMS. It provides information on mandatory access control for DBMS and discusses the Bell-LaPadula security policy model and its interpretation for MLS/DBMS. The taxonomy essentially provides various security architectures to design MLS/DBMS.
Basic IPv6 Security Considerations
This covers the topics of flows, ICMPv6, neighbor discovery, routing headers, and DNS issues in IPv6.
The Hacker's Profiling Project (HPP)
The Hacker's Profiling Project (HPP) attempts to apply traditional criminal profiling techniques to the many different types of hackers and their motivations, as well as offering the opportunity to many stripes of hackers to describe themselves and their motivations via a unique questionnaire, which in turn will aid in the prevention and countering of IT crimes. This chapter from Profiling Hackers: The Science of Criminal Profiling as Applied to the World of Hacking shows in detail the single steps that make up the project.
Prevent Identity Theft with 12 Tips for Safe Holiday Shopping Online
As more business is conducted online and sensitive data is stored on personal computers, the risk of electronic fraud increases exponentially. The holiday shopping season further increases this risk as online retailers provide heavy discounts to attract consumers searching for the best deals. If history repeats itself, Monday November 30th, better known as Cyber Monday, will be the largest online shopping day of the year. And while shoppers look forward to this day, identity thieves are even more eager to steal the plethora of personal information that will be shared between consumers and businesses. Here are 12 tips for savvy consumers who wish to protect themselves this holiday season.
Getting Started with Security Metrics
In this audio interview, Krag Brotby, author of Information Security Management Metrics, explains the necessary preliminary steps you need to take before you start to collect data. It's a process of first determining the outcome, then the objectives to achieve that outcome, the strategies needed to reach the objectives, and finally the metrics needed to manage the process of achieving the outcome. As he makes clear, a security metrics program is much more than data collection and analysis.
Introduction to Computer Ethics
This introduction to computer ethics by Rebecca Herold traces its history, covers regulatory requirements, discusses various topics in computer ethics, and highlights common fallacies, codes of conduct, and resources.
Introduction to Social Engineering
Social engineering is the name given to a category of security attacks in which someone manipulates others into revealing information that can be used to steal data, access to systems, access to cellular phones, money or even their own identity. This article examines ways in which people, government agencies, military organizations and companies have been duped into giving information that has opened them to attack. It looks at who the social engineers of today are, what they are after, the low-tech as well as the newer forms of electronic theft and explore measures that will keep your personal, customer, supplier and company information out of the hands of the social engineer.
Security Weaknesses of System and Application Interfaces Used to Process Sensitive Information
This chapter from the Information Security Management Handbook focuses on the problems associated with user abuse of authorized interfaces. Common interface aspects that provide a user with the ability to circumvent or disregard security policy will be presented. The discussion is centered on Microsoft Windows NT-based operating systems and compatible applications, but much of the information is applicable to other operating systems that also make use of graphical interfaces.
Introduction to Vulnerability Management
Vulnerability management (VM) is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This is a broad definition that has implications for corporate or government entities. It is not a new discipline, nor is it a new technology. This vital function has been a normal part of hardening defenses and identifying weaknesses to systems, processes, and strategies in the military and in the private sector. With growing complexity in organizations, it has become necessary to draw out this function as a unique practice complete with supporting tools. This has resulted in an important refinement of the definition of VM as a segment of risk management.
Security Metrics Overview
Metrics is a term used to denote a measure based on a reference and involves at least two points, the measure and the reference. Security in its most basic meaning is the protection from or absence of danger. This article discusses metrics as they are used-or not used--to tell us about the state or degree of safety relative to a reference point and what to do to avoid danger.
Could Your Mobile Device Land Your CEO in Court?
There are many industry specific compliance regulations that are there to protect customers’ personal data and yet so many companies are still contravening these statutes and laws. So, if you lose your mobile device with work data on it or details of your customers, who is liable? Even if you own the device and it has work related data on it, your board of directors could be liable so effectively you could land your boss in court. That’s great fun if you hate your boss, but on the serious side most companies are just not aware of the implications or regulations of protecting data. This article outlines why companies should be protecting their data and how they can go about doing this.
Mid-Year 2009 Internet Security Trends
One well-known characteristic of the computer industry is how quickly it changes. Advancements are made in technology so fast that keeping up with the curve often seems daunting. However, one aspect of the industry is essential to stay ahead of--security. As threats increase in volume and severity, the importance of monitoring those changes is paramount. Symantec maintains a watchful eye on threat landscape trends. At the end of 2008, Symantec researchers predicted a number of security developments to watch for in 2009. Here's what Symantec predicted and how the predictions have stood up thus far.
On the Web's 40th Anniversary, the Top Web Threats
This week marks the 40th anniversary of the Internet. Symantec Security Response pulled together a list of the top ten most notorious threats seen on the Internet in its 40-year history.
The Business Survivability Question: Is Your Data Safe?
Today's workforce requires immediate access to information, applications, coworkers and customers. Both large and small enterprises are increasingly online, mobile and Web 2.0-driven. These advancements illustrate that IT is no longer just a business tool; it is business. Yet every year businesses experience the effects of data loss stemming from information technology (IT) network outages and as IT systems fail, daily operations follow, and the results can be fatal. Businesses should strive to create a high availability infrastructure that responds robustly to new-age business challenges and disruptions. Data replication solutions can play an important role in implementing high availability. They can also serve as a cornerstone to effective business continuity (BC) and disaster recovery (DR) strategy and they can be very affordable.
Understanding DLP
In the past year or two, the term "data loss prevention" ("DLP") has been both abused and overused by security vendors that are desperate to make their products sound more relevant and useful than they really are for solving the problem of data breaches. This has led to the unfortunate situation today where it's often difficult to tell exactly what DLP is and what is not. To help clarify the current confusing situation, this article describes what DLP is as well as what it can and cannot do. It also describes both the capabilities and limitations of DLP.
Devising a Workable IT Planning Strategy
Effective decisions are elusive without good planning abilities and good decisions about how IT should be deployed and managed are no different. Consistent decision-making requires a defined framework, methodology or, in short, a process. So if IT planning consists of all of the activities that support consistent decision-making, then the IT planning discipline has to be made up of activities performed in a process that is repeatable, has defined responsibilities, has a defined order to the activities and is auditable. As this article explains, to make quality decisions, the process should provoke the right questions and supply the information that can support the decision-making.
More Than a Check Box: How GRC Principles Measure Security and Accountability
Privileged accounts and privileged users have the power to change system data, user access, configuration, and so forth. They also have the power to easily sabotage the critical IT operations of any organization. Privileged passwords are extremely critical to overall system access and functionality, and in order to meet compliance regulations, organizations must address this issue. This article shows how you can mitigate the insider threat with GRC.
