Author: admini

Cybersecurity vendors form policy advocacy group

Posted on by admini

Introduced at security software maker RSA’s ongoing conference in San Francisco, the group has been christened the Cyber Security Industry Alliance (CSIA) and will be headed by Paul Kurtz, a former special assistant to the president who has worked on technology issues for the White House’s Homeland Security Council.

Among the 12 companies represented in the organization are security specialists such as Check Point Software, Computer Associates International, Entrust, Internet Security Systems, Network Associates, Symantec and RSA. The overriding goal of CSIA would be to gather input from leading cybersecurity providers and create initiatives for proposals to fellow technology vendors and government regulators alike. The group will be broken up into four committees that address the association’s major areas of interest.

Although Microsoft and other information technology leaders were not asked to be directly involved with the organization, Kurtz said it would be critical to generate participation from such companies in order to gain support for CSIA measures.

More info: http://zdnet.com.com/2100-1105_2-5165204.html

Read more

Banks falling behind on Basel II

Posted on by admini

Implementation is due in 2007, but requires that banks are using Basel compliant systems and data for several years before then.

The most widely perceived benefit is an improved credit rating system, followed by improved management of operational risk. A reduction in capital requirements was only the fourth most highly rated benefit.

Amongst UK banks, progress is generally greater – but they have concerns around the cost of implementing Basel, lack of IT flexibility, and uncertainty over how the regulator will be assessing the robustness of the systems they have developed. Globally, around 10 percent of banks are still establishing their Basel teams – and in the Asia Pacific region this climbs to as high as 22 percent. Only eight percent of banks have reached the testing and validation phase of their project on credit risk (although this rises to 15 percent in the Americas).

While 46 percent of banks have reached the systems modelling stage or further on credit risk, only 33 percent have done so on operational risk. Banks are also generally planning to take a more advanced approach to credit risk than operational risk – over a quarter are intending to take the most advanced approach to credit risk, while only 11 percent plan to do so on operational risk.

Barriers
The cost of complying with Basel was seen as the biggest barrier – perhaps not surprisingly, as half of respondents said that their total Basel budget was less than $1 million. Other widely cited concerns were lack of time, lack of data for operational losses, inflexibility of existing IT systems (a concern in Europe especially) and, in the Asia Pacific region primarily, a shortage of Basel experts. Concerning Europe, Jane Leach commented “Whilst European banks are relatively ahead of the pack, they cannot afford to be complacent.

More info: http://continuitycentral.com/news0980.htm

Read more

Sarbanes-Oxley Doesn’t Worry Most IT Managers

Posted on by admini

“Sarbanes-Oxley is asking companies to make sure they have documenting procedures in place,” said Aberdeen’s Christa Degnan in an interview. “Some respondents indicated that SOX compliance prompted changes in their supply-management strategies and operations, but no corresponding increases in their IT budgets,” she noted. A few respondents, representing about 10 percent of those polled in the survey, said SOX had no impact whatsoever on their supply-chain organizations.

What about the one-third who said SOX will have an impact on their IT and supply-chain operations? Aberdeen found that, of the one-third considering upgrading IT operations to comply with SOX, more than 40 percent were considering beefing-up contract-management and supply-chain analytics functions.

More info: http://www.securitypipeline.com/news/18200145;jsessionid=CQYMSM0OSFI3GQSNDBGCKHQ

Read more

Zone Labs Updates Integrity Security Policy Enforcer

Posted on by admini

Integrity 5.0 ensures that endpoint systems — laptops, desktops, and even mobile devices — are meeting security policies established by the IT department before access to the network, either from within the firewall or remotely from outside the perimeter, is allowed. Boasting increased integration with Check Point’s popular line of virtual private networking (VPN) access and firewall products, Integrity 5.0 guarantees that only systems meeting security policies can connect remotely via VPN, said Fred Felman, vice president of marketing for Zone Labs.

“Integrity allows administrators to deploy and manage a very flexible set of alternative rules if a client is out of compliance with policies,” Felman said.

The new centrally-managed policy maker and enforcer also now sports support for security patches and service packs — such as the blizzard of those released by Microsoft — so that endpoint machines are forced to deploy those that administrators think are necessary before the systems connect to the enterprise environment. The new Integrity server software supports Windows 2000 and Windows 2000 Advanced Server, while the Integrity clients run on Windows 95, Windows 98 Second Edition, Windows 2000, Windows NT 4.0 Workstation, and Windows XP Professional.

More info: http://www.techweb.com/wire/story/TWB20040223S0008

Read more

How Long Must You Wait for an Anti-Virus Fix?

Posted on by admini

AV-Test is not as well-known in the United States as it should be, possibly because the group is located in Germany at the Otto von Guericke University Magdeburg. Andreas Marx, manager of AV-Test, provided test results showing how long it took 23 major anti-virus programs worldwide to come up with new signature files during the past several weeks. The new signature files involved in the test were developed to fight four novel viruses that weren’t being caught by the preventive or “heuristic” techniques of most anti-virus programs. These four new viruses are known as Dumaru.Y, MyDoom.A, Bagle.A and Bagle.B.

AV-Test uses special scripts to check the servers at anti-virus companies every five minutes, looking for new signature files.

H:M Anti-Virus Program
06:51 Kaspersky
08:21 Bitdefender
08:45 Virusbuster
09:08 F-Secure
09:16 F-Prot
09:16 RAV
09:24 AntiVir
10:31 Quickheal
10:52 InoculateIT-CA
11:30 Ikarus
12:00 AVG
12:17 Avast
12:22 Sophos
12:31 Dr. Web
13:06 Trend Micro
13:10 Norman
13:59 Command
14:04 Panda
17:16 Esafe
24:12 A2
26:11 McAfee
27:10 Symantec
29:45 InoculateIT-VET

Although new signatures are sometimes posted very quickly in special cases, many major anti-virus services schedule regular online updates only once or twice a week, AV-Test says. Other providers, such as F-Secure, schedule updates seven times a week, while Kaspersky Labs schedules them 20 times a week, according to AV-Test’s figures.

Kaspersky schedules new signature files the most often — and earned the fastest average response times in AV-Test’s real-time trials, shown above — because the company has a large number of people around the world analyzing viruses and developing cures, Holdsworth says.

More info: http://itmanagement.earthweb.com/columns/executive_tech/article.php/3316511

Read more

Stuck in the SAS 70s

Posted on by admini

A little-known and perhaps largely outdated auditing standard for outsourcers could be the next big hurdle for Sarbanes-Oxley compliance. The standard in question is Statement on Auditing Standards No. 70, “Reports on the Processing of Transactions by Service Organizations.” Set up by the American Institute of Certified Public Accountants in 1993, SAS 70 spells out how an external auditor should assess the internal controls of an outsourcing service provider and issue an attestation report to outside parties or to a client.

Auditors and other critics of the standard say SAS 70 is in need of a major overhaul, especially considering the June deadline for Section 404 compliance facing many public companies.

Stan Lepeak, vice president of the research firm Meta Group, believes that incompatibilities between SAS 70 and Sarbanes-Oxley will “dampen outsourcing, at least in the short run, until outsourcers can show that they have both the adequate controls in place [and] evidence to prove that.” Tom Eubanks, of IBM business consulting services, isn’t so sure. “On first blush,” he says, “one might think, ‘Why would you outsource in a world where Sarbox is in place…and the magnifying glass is on the finance function?’ ” But what Eubanks and his colleagues are finding, he adds, is that “companies are looking at outsourcing as a valid way to address some [Sarbanes-Oxley] issues.”

All in the Timing Under SAS 70, an outsourcing-service provider undergoes an annual audit, performed either by its own independent auditor or by the auditors of its outsourcing clients. There are two types of service-auditor reports.

Type I includes the service auditor’s opinion on the fairness of the presentation of the provider’s description of its controls and how well they’re designed to meet specified control objectives.

Type II reports, generally preferred for their greater depth, include the same data as Type I as well as the auditor’s opinion on the effectiveness of the controls during the period under review.

More info: http://www.cfo.com/article/1,5309,12161|0|C|1|,00.html

Read more