Category: News

The group, made up of Oracle (Quote, Chart), Hewlett-Packard (Quote, Chart), Veritas, Sun Microsystems (Quote, Chart), Open Text, Hitachi Data Systems, Network Appliance (Quote, Chart) and Plasmon, expects to have resources available on the Internet Law & Policy Forum (ILPF) Web site in the next six months.

The ILPF is a non-profit organization that provides a neutral forum for challenges posed by the Internet on law, policy, technology and businesses worldwide.

The CMEI site will host documentation on best practices for information retention and maintenance regulations, provide counsel and exchange information with various businesses, legislative bodies and regulatory agencies in various workshops, and publish checklists and summaries of legal and regulatory requirements for interested companies.

Those sorts of conflicting policy goals, as well as some of the weak language found in ambiguous regulations was the main reason for the formation of the working group, according to Harald Collet, CMEI chairman and Oracle records management and compliance support product manager. With businesses focused on complying with the deadlines of specific regulations, he said, such as Sarbanes Oxley, they now have to work on building a framework that is more all-encompassing.

Collet points to research conducted recently by AMR Research, which said companies would spend $6.1 billion in 2005 just to gain compliance with the regulations contained in the Sarbanes-Oxley Act; of that $6.1 billion, $1.7 billion will go toward the technology that helps companies meet compliance standards. But while companies within the working group would stand to gain from selling their products directly to customers — Oracle sells software like its E-Business Suite 11i.9 to help get companies in line with regulations like Sarbanes Oxley and HIPAA — Collet said the goal of the working group is to help customers by finding the best answers for them.

“The vendors that are involved in this all go into it with a spirit of trying to address the technology issues around this,” he said, “and I think that everyone who is involved in trying to solve this issue on the vendor side, they have an interest in clarifying the obligations and issues and pointing the way towards technology solutions that can help with this; it’s a win-win for everyone.

Collect said membership is open for any vendor looking to join the CMEI working group, after paying the admission price of $10,000.

http://www.techweb.com/wire/security/159400873

The Business Software Alliance and Information Systems Security Association released results of their Information Security Survey, a Web poll of 850 worldwide members of ISSA conducted in December and January.

According to the survey, 44% of companies said a member of senior management is responsible for IT security, up from 39% in October 2003.

BSA, a consortium of 25 software companies that includes Cisco Systems, IBM, and Microsoft, supports enforcement of copyright and software-counterfeiting laws.

Among other findings: 78% of companies have a formal information-security program; 90% have an information-security officer; and 55% have a chief privacy officer.

http://www.informationweek.com/story/showArticle.jhtml;jsessionid=5CWAFMGITIQIIQSNDBCCKH0CJUMEKJVN?articleID=60403494

The gambit came after China’s Wireless Authentication and Privacy Infrastructure (WAPI) security scheme was withdrawn and placed on a slower track by the ISO. China initially agreed last year to refrain from making its WAPI security scheme mandatory for wireless LAN equipment in China. It then approached ISO with a fast-track submission in an effort to make WAPI an international security standard.

Until this week, the ISO group was focused on whether or not both 802.11i and WAPI should be cemented as enhanced — but optional — security standards. However, sources said tempers flared when China’s original fast-track submission, designated 1N7506 of China National Standard GB15629.11 (WAPI), was withdrawn from consideration.

http://www.networkingpipeline.com/news/60403249;jsessionid=F5FTSCKZCDLYAQSNDBCSKH0CJUMEKJVN

The site, called ITsafe, will provide free information on the latest virus threats as well as advice on Internet surfing, e-mail use and protecting personal and business data. The site is funded by the British government’s Home Office and will use data from the National Infrastructure Security Coordination Center (NISCC), which is responsible for monitoring threats to the United Kingdom’s critical national infrastructure.

People will receive e-mail or text alerts about new virus and security threats once they have signed up to the service.

The Home Office said the alerts will outline the damage potential of any new threats and will offer instructions for any actions a person needs to take to update the security of their PC. Home Office Minister Hazel Blears said the site will provide jargon-free and easy-to-understand advice for nontechnically minded PC users.

Roger Cumming, director of NISCC, said in a statement that ITsafe will “take our technical expertise and use it to help home users understand the risks and keep their computer systems, mobile phones and a range of related consumer electronic items safe.”

http://news.com.com/U.K.+to+issue+public+virus+alerts/2100-7349_3-5588756.html?tag=cd.top

“Given their record in the security area, I don’t know why anybody would buy from them,” the former White House cybersecurity and counterterrorism adviser said yesterday, when asked for his thoughts on Microsoft’s forthcoming line of security software.

The observation came during an impromptu interview on the sidelines of the RSA computer security conference in San Francisco, where Clarke took part in panel discussions with other experts in technological and national security.

The company plans to release an anti-virus product this year and introduce a new version of Internet Explorer this summer — about a year sooner than expected — to boost security.

He said he asked Microsoft last year to disclose the specific quality-assurance practices it was following in the pursuit of more-secure software code. The idea, he said, would be for the software industry to collectively come up with a set of best practices for secure software development.

“There’s no fine involved, there’s no liability involved, but the marketplace is better informed, and the marketplace works better when it knows what’s going on,” Clarke said, drawing a round of applause from the crowd at San Francisco’s Moscone Center.

“The market is demanding security now, and that hard work is going forward already,” said Amy Roberts, director of product management in Microsoft’s Security Business and Technology Unit, in the statement.

During a panel discussion on technology regulation, Rick White, a former Republican congressman from Washington state, agreed with Clarke that it would be good to establish visible standards by which companies could be judged in the marketplace. “It’s just a question of how far you get the government involved.” But on the subject of government involvement, White and Clarke disagreed, as illustrated by a related discussion of Internet service providers.

http://seattlepi.nwsource.com/business/212437_rsaclarke17.html

The ratings will consist of three numbers, Gerhard Eschelbeck, the chief technology officer at security information provider Qualys said on Tuesday.

The first will be a baseline estimate of the severity of the flaw. The second will rate the bug depending on how long it has been around, and therefore how likely it is that companies have patched against it. The third will measure the threat a vulnerability poses to a specific corporate network. Each will take five or six factors into account for the measurement.

The companies plan to announce the first version of the system on Thursday, Eschelbeck said. They are proposing that vulnerability trackers such as BugTraq use the approach to label the severity of new software bugs.

Businesses can take the ratings to calculate the level of risk on their own network, to generate a single grade, depending on factors such as how reliant they are on the affected software.

“There are three numbers, but customers will deal with a specific final number,” Eschelbeck said. “You can see right out of the get-go how vulnerable you are.”

The launch, which will be made at the RSA Conference in San Francisco this week, is the fruit of a partnership of Redwood Shores, California-based Qualys, networking giant Cisco — which has recently announced a revamp of its security product line — and security company Symantec.

It is designed to provide the first systematic grading of flaws that can be used by companies to assess the potential damage to their vulnerable systems and to prioritise patching. The ratings could also offer insight into the severity of flaws on the different computing platforms, such as Microsoft Windows, Linux and Apple’s Mac OS X.

http://news.zdnet.co.uk/0,39020330,39188056,00.htm