Entries from February 2009
February 26, 2009 · 1 Comment
Devolution was pitched yesterday by Forrester Researcher Andrew Jaquith – on a Webcast entitled “Effective Data Security: No Forklift Required”. I quite enjoyed the presentation and thought the concepts were timely and consistent with what have been needed in the market. In fact, I spoke on this last year at the RSA Conference 2008 and dedicate a portion of my book IT Compliance and Controls on this concept. However, my focus was on synergies across business controls and operation targets and less upon the DLP type challenges Forrester was addressing. The Forrester Research provided good details into the expected shifts in budget, but not the shift in how IT functions and security safeguard requirements shall evolve in these situations.
There is tremendous value to be gained from current technology deployments, and tremendous waste occurs when organizations do not communicate. While that is not a very insightful statement one should consider – Organizations that require their technology to met 99.9xx% uptime and undergo several audits on privacy / pci / sox / IFRS / FISMA / HIPAA that do not align these underlying technology components are wasting money and time. Specifically, according to my research and field experience these institutions tend to be more INsecure despite the heavy focus on meeting audit deadlines and customer SLA. To save on budget, regardless of the state of economy, find synergies and move forward with better security and less service problems. A key litmus test – does your staff have to respond more then once for an audit – if so, this is a symptom of wasted effort and untapped budget flexibility.
During the Forrester call there were several great questions posed. If you are able to attend future Research calls I would advise posting questions to ensure maximum value.
Thoughts and Comments?
James DeLuccia IV
**Speaking at RSA 2009 on the Payment Card Industry, April 22nd 2009**
Categories: Compliance
Tagged: budget, dlp, fisma, hipaa, it compliance and controls, pci, rsa, Security, sox
MSI recently read and reviewed the book online. They reinforced the tenets of the book – achieving optimal operating standards within the business and addressing the risks of the business. CIO and Executives must read this book for the following reasons:
- Explanation of Technology Ecosystems and their impact in current business models
- Matrix regulation safeguard interpretation standards
- Enterprise Risk Management Action Steps
- Single and Best Practice approaches to meeting SLA in a downturn
Check out the great review here and the online book reviews on Amazon here.
Comments, Challenges, and contrarian views?
James DeLuccia IV
** I will be presenting at RSA 2009 on PCI DSS – Check out the site here for conference details
Categories: Compliance
Tagged: best practices, book review, it compliance and controls, rsa, Security, tips
February 13, 2009 · 1 Comment
At a discussion with Oracle President Charles Phillips and Matt Trevathan last night, the question of whether or not Cloud computing or grid computing systems are inherently weaker was brought up. The question was raised related the privacy concerns of people’s data flowing across “foreign” systems, and the duties of the organizations involved in utilizing these systems. The discussion was interesting and you can see my article on it here, and the archive of the live broadcast should be posted here at the MIT Forum in the next couple of days.
One token I want to highlight from the discussion is the concept that utilizing services is inherently insecure. I don’t agree with this flat assumption and despite a great deal of discussion feel that SAAS and Cloud type systems can be equally as secure as internal operations. Beyond that I feel that we have allowed a bias assumption be introduced into our quantitative risk calculations. That bias is – we don’t own those, Amazon for instance, AMI’s and don’t control physical access to those systems so we have less confidence in them. True we don’t have access and others DO have access – does that make them inherently insecure relative to other such systems? By other systems I am implying the Internet itself. We currently operate our own data centers in the happy walls of our buildings and push packets out of our firewalls to clients, suppliers, BPO providers, 401k processors, partners, remote offices, home office team members, coffee shop workers, and numerous other locations. The fact is that there are likely 20 devices in line that we have no control of whatsoever!
The impact is we must establish secure communication technologies between points A and B; we must place laptop encryption on portable devices; we must establish certificates and authentication mechanisms to ensure the authorized persons and systems are communicating, and we must have agreements between all the parties.
The fact is the situation is the same. Controls are required, assurance is mandatory, and we must have confidence. Check out the discussion on GPB, and please add to comments any further thoughts.
How does this fit in with PCI DSS and other regulatory concerns? Simple – the technology platform is evolving, we currently consume dozens of services that are hosted and managed on the Cloud, and it is only going to grow. Hybrid models will be with us for a very long time. The good news is current legislation and mandates do not restrict the use of such systems and have sufficient language to leverage these technologies while meeting the intent of the regulations – securing the data.
Kind Regards,
James DeLuccia IV
Categories: Compliance
Tagged: amazon aws, cloud computing, Compliance, grid computing, ibm, pci, PCI DSS, regulation, Security
