Magazine Subscribe Events Careers Backblog About Us Press Releases Media Kit Supplements Book Review
Top 300 Issue 2007 Latest Issue Archive Editor's Letter From the Publisher Sponsors / Advertisers
Current Issue

Directories &
Industry Blogs

Canadian Technology Associations

Data Warehousing

eHealth

ICT Hardware and Infrastructure

IT Staffing Solutions

Online Education and MBAs

Outsourcing

Professional Services

Security

Social Networking

Software Companies

VOIP

Web Developers

Wireless Solution Providers

To post a directory listing contact Backbone
Multimedia

sponsored by


Podcasts
Mobility Podcast
Productivity Podcast
IT Metrics Podcast

Webcasts
Dual Core Laptop Computing
Staying connected on the go
Wireless Business Podcast
SMB Success


How-to Guides
Find Ideas to inspire your digital life

Small Business
Case Studies
Action International 
Float point
Ghadban Accounting
Grant Stream
Promation 
Vertical Brokers 

Guide for Small Business
Freedom to succeed in business

Focus on Security November 8, 2007 

PDF version (1MB)

360-degree security

Converged security takes a holistic approach to safeguarding your company

Ask what computer security means and many people respond with the same basic ideas: good backups, a firewall, encryption and antivirus protection. However, experts argue true security should involve all areas of the business, from the server room to the boardroom.

Technology alone is never enough to safeguard an organization. Understanding how processes operate within the company is crucial. This notion, called converged security, includes an understanding of physical as well as logical security. It involves educating people on security best practices and making it harder for intruders to infiltrate the company using social engineering. It even extends down to minute technical areas of your operation, including something as innocuous as a document scanner in a branch office.

“One concern around network attached scanners, for example, is that a copy of a scanned image may be retained on the device’s hard drive,” said Steve Oblin, imaging product marketing manager at Fujitsu.

The experts in this security supplement provide unique perspectives on the multifaceted challenges facing modern organizations which want to protect themselves as much as possible from risk. The final lesson is perhaps the hardest: no organization can count itself as entirely secure. Instead, methodological risk analysis and mitigation procedures can reduce risk to an acceptable degree, but doing this effectively requires an understanding of the company in question and the sector in which it operates, with all the regulatory and legal requirements therein. An individual security measure is never enough—the trick is ensuring that many such measures work together to seal an organization as much as possible against attack.


       
     

10 Critical Questions you should be asking your organization

1. Who are the outsourcing organizations we contract with and where are they located?

2. Precisely what data are we sending to, and receiving from, those outside our organization?

3. Is the data personal information, and have we given notice to our customers of this data transfer?

4. What are our exposures if the data (both sent and received) is improperly accessed, used or maintained?

5. What data protection clauses do we have in these contracts?

6. What evidence do we have that these outsourcing organizations protect our data as outlined in these data protection clauses?

7. What processes are in place to monitor the outsourcing organizations?

8. Do these organizations outsource any of their processes in which our data may be further transferred to another organization?

9. What processes do the outsourcing organizations we contract with use to verify the data protection practices followed by their outsourcing partners?

10. What are the applicable laws, regulations and compliance mandates that our organizations should be managing against?

Beyond PC Security

Symantec widens security focus from desktop computers to all user devices

A quarter of a century is a long time in computing. Today’s personal computing devices bear little resemblance to the PC that IBM launched in 1981. The evolution of the Windows operating system, the introduction of mobile computing and smaller form-factor devices are among the developments that have made security an increasingly complex task. Rather than desktop computer security, Symantec Corp. now talks about endpoint security, to accommodate the plethora of different devices that may connect to a network.

It is Symantec’s job to simplify endpoint security for IT managers, enabling them to walk the fine line between flexibility for employees and security for the organization. We recently launched Symantec Endpoint Protection 11.0 and Symantec Network Access Control 11.0, designed to both protect the endpoint from infection and the network from infected computers.

Endpoint Protection 11.0 uses a single software “agent” designed to protect endpoint devices from an array of threats. “After ensuring that we had all the right technologies in our portfolio, we redesigned the integration of those technologies into a single endpoint agent,” explains Kevin Murray, Senior Director for Endpoint Security at Symantec.

“Consolidating all of those technologies into a single software agent consumes less memory while the product operates,” Murray adds. Other products can use as much as 130MB of memory to secure an endpoint, but Symantec’s solution now uses about 20 per cent of that. Customers have been reporting up to a 75 per cent reduction in the time spent managing endpoint security as a result of using this simplified but comprehensive product, according to “Total Operational and Economic Impact Analysis” by The Alchemy Solutions Group, October 2007.

Endpoint Protection11.0 encapsulates established security functions, including antivirus, anti-spyware, firewall and intrusion prevention, but also includes a new feature: application control. “Application control enables customers to manage and enforce applications in the computing environment, preventing the use of unauthorized software,” explains Murray.

Application control makes the computing environment more secure, because locking down applications prevents users from installing software with their own security vulnerabilities. IT managers can now prevent users from installing inherently insecure applications, such as peer-to-peer file sharers on their PCs, for example. “One customer told us that they have seen a 50 per cent reduction in helpdesk calls as a result of implementing this technology,” Murray says, again citing the Alchemy Solutions Group report.

Endpoint Protection 11.0 protects client devices from malicious network activity and from naïve users, but what if an infected endpoint without such protection manages to connect with the network? Even the most secure network will be vulnerable to infection from mobile devices that have been exposed to the public Internet. If, for example, employees or freelance contractors use their computer on a public Wi-Fi hotspot they could have become infected by malicious code. When they connect that computer to the network inside the corporate firewall, that malware could easily take down the entire infrastructure.

Symantec’s Network AccessControl 11.0 protects the network from compromised endpoints. “Symantec Network Access Control determines the configuration of the system before it is granted access to the network,” explains Murray. Software within the network analyzes an endpoint device when it connects to evaluate compliance with the company’s security policy. For example, it may restrict network access until an endpoint device’s operating system has been fully updated with the latest security patches and its antivirus software has been loaded with the most recent antivirus updates.

Because security is in everyone’s best interest, Symantec has made the deployment of these technologies as easy as possible. The latest versions of its software are available under its entitlement program, which provides existing customers with upgrades and maintenance releases for its products. “Because we have consolidated all of these technologies into a single agent, many customers will now receive more protection than they originally purchased,” Murray explains. Customers that previously purchased its Symantec AntiVirus Corporate Edition, Symantec Client Security, Sygate Enterprise Protection, and its behavioural analysis product Confidence Online, are now protected by a broader array of security functions. “The entitlement program is very generous and it maps across the entire Endpoint Security line of business.”

Symantec has taken this bold step because security should map across an entire business. An organization’s security is only as good as its weakest point. Protecting your network and the devices that attach to it will go a long way towards avoiding the types of security breach that can easily land a company on the front page.

For further information: call 1-877-BUY-SYMC or visit Symantec.com/endpointsecurity

 

Payment Card Compliance: is your organization ready?

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all entities that handle credit card data to help reduce fraud and identity theft. This standard is critical to minimizing risk and maximizing credit card data protection.

Many merchants and service providers are struggling to bring their credit card processing environment in compliance with the PCI Data Security standard. The key to this is planning and preparation: proper prior preparation prevents poor performance. PCI DSS compliance is a demanding task and companies must carefully prepare and plan for it.

Organizations must first seek to understand their cardholder processing environment before any planning activity. Completing a Self-Assessment Questionnaire (SAQ) and performing a preliminary gap analysis to assess your readiness are two critical steps to understanding your environment.

With a good understanding of your environment, you should now have an idea of where you are. Now you can start planning on how to get to where you need to be.

What you need to know

Find out what you need to do to demonstrate compliance: On-site audit, self-assessment questionnaire or quarterly scans?

Get senior management buy-in: Compliance with PCI DSS is a business risk issue. Get senior management support before you embark on this journey as you will need a lot of resources to achieve compliance: money, people and time.

Involve multiple departments: PCI compliance is not just an IT or corporate security initiative. Involve HR, operations, finance, accounting and others.

Leverage other compliance programs: The work required by PCI DSS may already be done. Make sure you align your PCI compliance efforts with other compliance efforts going on in your organization.

Review third-party agreements: Make sure third-party and all connected-entity agreements contain language that they must be PCI compliant, if necessary.

Segment your network: Although internal network segmentation is not a requirement of PCI DSS, it can significantly reduce the scope of your PCI assessment, and therefore the cost and effort required. A flat network design puts your whole organization in scope of the PCI assessment. Review your network diagram and have your cardholder processing environment adequately segmented from the rest of your network, if required.

Information security management system: To comply with PCI DSS you must have a comprehensive set of security policies in place.

Take advantage of compensating controls: If you will not be able to meet certain PCI requirements the way they are written, you can use alternate controls to compensate for the gaps. The compensating control must be above and beyond other PCI requirements and must also meet the intent and rigour of the original PCI requirement.

Vulnerability assessment: This will help identify vulnerabilities you may have on your network and to start the remediation efforts ahead of time.

Retain only necessary data: If you don’t need it, don’t store it. Eliminating sensitive cardholder data from your environment does two things for you: it immediately removes your risk and it reduces the scope of your PCI assessment. You do not need to keep sensitive cardholder data post authorization.

Get documentation ready for assessors: Make sure you have well documented policies and procedures, third-party agreements, configuration standards, technical documentation and network diagrams ready for the assessors. Make sure they are well organized, clear and up-to-date.

Get clarification from the PCI Council or your acquirer: If you need help with the interpretation of any of the PCI requirement, send an e-mail to the PCI Council at info@pcisecuritystandards.org. Your acquirer can help answer questions relating to your merchant or service provider level and compliance validation.

Finally, be ready to prove that you have exercised “due care.” Companies should focus on building good security into their network, rather than the PCI compliance itself. Mostly, the PCI Data Security Standard is all about best practices and a set of controls that organizations should have always had in place. With this approach, demonstrating your PCI compliance becomes easier as all you now have to do is document your security controls and be ready to prove you have put in your best effort and done your due diligence.

Ola Olafunmiloye is a Managing Consultant with Allstream, Security Practice in Canada. Ola is a CISSP, CISA and PCI Qualified Security Assessor (QSA) and specializes in assisting merchants and service providers apply the PCI Data Security Standard to their cardholder processing environment.

Allstream is a Qualified Security Assessor (QSA) and provides PCI DSS readiness reviews, assessments and remediation services.

For more information visit us online at www.allstream.com or call 1-888-339-7866

Information management: protect yourself and your customers

KPMG delivers seven-phase lifecycle management process

Many companies today understand that information is an asset, but how many of them realize that badly managed information can also be a liability? Today, regulatory frameworks strictly control information governance and companies that do not manage data at all stages of its life cycle risk information leaks.

Retention is one area in which companies find themselves balancing different needs. They must retain and correctly manage the information necessary to run their business. However, they must also limit the level of information that they store, to minimize the risk of that data falling into the wrong hands.

“But in other cases, the inappropriate destruction of a record and the lack of filing and retention policies may negatively affect an organization,” explains Yvon Audette, a partner within KPMG Canada’s IT Advisory Services group.

Consequently, information lifecycle management (ILM) is becoming a pivotal concept for companies which want to protect themselves and their customers. KPMG outlines seven phases within the information lifecycle, from its initial generation and use through to its archiving and eventual destruction. Each of these phases carries its own considerations, explains Humbert Low, senior manager and security and privacy service line leader within KPMG. “You must understand the technology components that need to be in place when you are moving information around,” he explains. “What is encrypted? What is the handling procedure around off-site tape operations, for example?”

KPMG brings a rich portfolio of security practices to the table when tackling ILM challenges. It can assess different threats to corporate information with the help of vulnerability and penetration testing procedures, and can also audit security operations to identify areas of potential improvement.

“In particular, KPMG’s identity management services are helping organizations understand what is involved in properly developing the transformation projects needed to move forward with an ILM solution,” says Audette, who emphasizes that managing the information lifecycle presents both technical and organizational challenges. Companies must understand which technical systems need access to information at different points in its lifecycle and must analyze them in a business context, particularly if they want to reap the business benefits that an ILM solution can deliver.

“They must understand how people, processes and technology come together to gain the benefits that can arise from such a solution,” explains Audette. “As an advisory organization, the strategy development part is really where KPMG can add value for clients.”

For further information visit us online at www.kpmg.ca

Strategic and operational business continuity

Step one: have a good plan. Step two: be ready to execute it

Many companies equate business continuity with simple data backup, but true continuity involves a more holistic understanding of what it takes to keep the company’s business running, explains Rebecca Whitener, vice-president for EDS Enterprise Risk Management and chief risk officer at the company. “The reality is that to have an effective plan, you have to take into account everything from business, through to strategy, culture and technology.”

An effective business continuity strategy involves expertise both at the strategic level, so that contingencies can be effectively planned, and at the operational one, so that they can be executed quickly and accurately. One of the first steps in the planning process involves identifying the risks to specific applications, along with their probability and scope. The resulting risk impact matrix can then be used as a platform to identify and create contingency measures.

The strategic planning team must have a unique mixture of skills, taking in everything from regulatory expertise to sector-specific knowledge. “Having an understanding of the industry that the client is working in is important, along with the issues that might surround specific scenarios,” Whitener says. “Our team would understand how a pandemic flu would affect the client’s workforce, for example. Having contingencies to cope with issues such as workforce placement forms part of that expertise.”

A crucial part of this process involves working with numerous third-party stakeholders. EDS’ team of technical business continuity experts can not only plan the necessary technical solutions but can also work with participants outside the client’s domain to ensure that all parties work in unison in the event of a disaster. This can include not only equipment suppliers but also utility companies, for example.

This ability to work with multiple parties is crucial. Very few companies use products from a single technology vendor, and so business continuity planners must be comfortable dealing with many different suppliers. “It’s not about who’s got turf,” Whitener says. “Our clients work with anybody, and so we need to work with everybody. We have a track record doing this.”

For further information visit us online at www.eds.ca



Supplements Archive
Top Lists



Top 3 Smartest Canadian Cities in 2008 

  • Edmonton
  • Fredericton
  • Vancouver

from the Intelligent Community Forum's Smart 21 shortlist


more about this list>>

more lists>>
Special Supplements

 

Green Technology - The rise of green technology.
Data Management - information sharing and data lifecycles.
eHealth  - New technology is changing the face of healthcare in Canada.
Outsourcing  - Read about how outsourcing can enhance your company's bottom line.
eLearning  - Canada’s smartest businesses are applying new technologies to employee training.
eTravel - Learn how new technologies are helping hotels provide service.
Fast Cities  - Technology is changing urban environments with updated options from voting to paying for parking.
Security  - Converged security takes a holistic approach to safeguarding your company. 
Technology  - at the 2010 Winter Olympic Games.
UK Trade & Investment  - helps businesses prosper in the UK market.
Unified Communications - VoIP, human communication, converged networks, and more.
VoIP  - Discover how Canadian companies are harnessing the power of VoIP.

Top 300 Issue
 
Gadget of the Week (Canadian)



Play music, use Linux, save power
Bowers & Wilkins Zeppelin iPod dock

It’s pricey at US$599 but if you need big sound and a great-looking home for your iPod then take a look at the Zeppelin.

more>>
Gadget of the Week (Japanese)




Sounds of Japan
Why record just the visual when you can capture the sounds as well.

more>>
Backblog RSS feed
Click to subscribe
Magazine | Events | Careers | Backblog | Press Release | Book Review | About Us | Media Kit
© 2006-2007 Backbone Magazine. All Rights Reserved. Privacy Policy | Terms of Use.