Is SecurityRatty RSS argegator? Yes, it is.
- Full automation without prepost moderation
- No RSS Ads
- Manual feed/post removal by request (in 24h usually)
Here some alternative opinions:
Huh?
There’s little doubt that virtualization is an important and disruptive technology that will, in a relatively short period, change the face of the data center. Because virtualization is so disruptive, it also will clearly change the rules for how enterprises secure their data and their computing infrastructure. And, while we don’t believe that virtualization should remain off limits until a security strategy is fully nailed down, smart organizations will develop security and management strategies as they develop deployment plans for virtualization.
A better solution is to use tools that are specifically intended to improve the security of virtualized environments.
Virtual appliances are, as the name suggests, VMs with a minimized and hardened operating system that’s been configured to precisely meet the needs of the appliance’s one application. The idea is to minimize or eliminate any operating system configuration work on the part of the end user, permitting rapid and consistent deployment with relatively little expertise required from the installer. Applications for virtual appliances range from grid computing to SaaS to security.
While the tools to create a secure virtualized environment are now showing up, it would be a mistake to think that virtualization security is just about buying a different set of security tools. Greg Shipley, CTO of security research company Neohapsis, offers this advice: “Take a hard look at what threats you actually think you’re facing, and what tools or techniques (which might not involve a technology purchase!) are out there to help mitigate them.” Shipley maintains a healthy skepticism of security software vendors. He “can’t help but wonder if some of the vendors out there are simply looking at all the virtualization going on and saying, ‘Hey, how do I sell security to all these VMware shops?’ I think part of the burden on us users/consumers of the technology is to discuss what the true threat vectors are and then look to at tools.” Virtualization will change the face of computing from the desktop to the data center. Getting security right requires reassessing the approach to and goals for security. Platform and network security, which have been the mainstay of most security efforts to date, will give way to securing data and restricting its use to only those who are, by policy, allowed to use it.
From CISSP forum:
” We have completed and published our collaborative white paper listing the
top information security threats, vulnerabilities and impacts, along with
some risk scenarios and controls, as we head towards the new year…”
http://www.iso27001
Intellectual property, a major component of Intellectual Capital, is described in Chapter 4 of IT Governance: Guidelines for Directors. Intellectual property (IP) is a term used to describe certain legal entitlements which are concerned with the protection and usage of recorded media (TV programmes/films/music), written works, names and inventions. IP is usually in the form of:
Every country has its own form of copyright legislation. In the UK, the UK Patent Office provides substantial information about UK intellectual property rights (’IPR’), the Copyright Licensing Agency is a critical resource, and the World Intellectual Property Organization (’WIPO’) “promotes intellectual property throughout the world.” The Handbook of Intellectual Property Management is an excellent reference book on the subject.
Further insights into the many different types of IP and the laws governing them are detailed in the Handbook of European Intellectual Property Management which predominantly covers the world of IP from a European perspective or, if you are looking for a specifically legal manual, then Intellectual Property Law, Fourth Edition provides a worldwide perspective and introduction to the subjects.
Both the books mentioned above are available for immediate despatch from the IT Governance online store. IT Governance have searched the book publishing world exhaustively for the most interesting and highly authoritative books on the many different aspects of IP; these are now readily available in one place for you to purchase. Please read on for more information on IP and the books associated with specific aspects of IP.
Copyright is primarily concerned with the right to use a certain piece of information or a particular expression. Its main principle is that it allows the copyright holder to regulate the use of the item protected by copyright.
The most visible sign that an item is protected by copyright is the symbol © which is usually clearly featured on the item in question. However, this symbol has never been legally recognised.
Copyright can be described in simple terms as the ‘the right to copy the item in question’. If you are looking to understand the ins and outs of copyright, then the best book for you to read is A User’s Guide to Copyright, Sixth Edition. This cuts through the jargon to provide both legal and non-legal professionals with a guide to the world of copyright.
The law governing copyright is standardised across the world by treaties such as the Berne Convention. If you are looking to grasp the fundamentals of these copyright treaties and gain interpretive guidance, then the doubly authoritative manual, International Copyright and Neighbouring Rights: The Berne Convention and Beyond, Second Edition, is highly recommended. This is a two book set from Oxford University Press (OUP) which offers highly intelligent insights and guidance into the complex issue of copyright law. Additionally, copies of the most of the major copyright agreements and treaties, such as the Berne and Rome Conventions, are included.
Patents are generally a set of rights granted to an inventor, or to a person or organisation associated with the inventor, for a fixed period of time. These rights are granted in exchange for disclosure of an invention or idea.
Patents usually grant a period of exclusivity in which the inventor, or associated individuals/organisations, can prevent others from making, using, selling, offering to sell or importing the invention. However, these rights are not the same in all countries.
If you are looking to ascertain the ins and outs of UK and EU patent law then A User’s Guide to Patents, Second Edition provides a thorough understanding of these articles. It also addresses many of the wider public policy issues of patents.
There are many different international agreements and treaties governing how patents are enforced. However, these agreements or treaties are usually enshrined in local laws. The main agreements and treaties governing the use of patents are the Trade Related Aspects of Intellectual Property (TRIPS) Agreement and the Paris Convention for the Protection of Industrial Property. Further information on the TRIPS Agreement in particular can be found in a book called Trade Related Aspects of Intellectual Property Rights: A Commentary on the TRIPS Agreement. This book distils the essence of the TRIPS Agreement making it easily interpretable by the layman as well as the legal professional.
For a more thorough country-by-country approach to the legal aspects of patents and which treaties or agreements are, in effect, within a particular country then International Patent Treaties with Commentary is essential reading. It provides country-by-country information of the particular patent laws operating in that country, as well as providing information on how to maximise your patent rights in that country.
Patent searching can often be a difficult task: you can pay third party organisations to undertake searches for you, or you can do it yourself on websites such as Google Patent Search, the UK Patent Office or the United States Patent and Trademark Office’s website.
If you are looking for tried and tested methods of searching for patents, and don’t want to pay a third party service provider to do searches for you, then the methods conveyed in Patent Searching: Tool & Techniques are essential. Make sure before filing your patent, that one does not exist for an invention similar to your own, and save time and money on third party services by using the methods in this book.
A trademark is a unique and distinctive sign, or indicator of some type, which is used to distinguish a company’s, person’s or legal entity’s products or services from other entities products or services.
Trademarks are usually names, logos, designs, symbols or words. They can also be a combination of all of the previous elements put together.
Trademark rights confer exclusive rights of usage of the trademark within a certain market to licensors. More than one organisation can have rights to use a certain trademark, however the market they can use it in is limited. An example of this would be Apple Music and Apple Computers; the trademark here being an apple symbol.
Further information on the correct usage of trademarks can be found in a highly authoritative manual called Trade Mark Use, which is published by Oxford University Press. This manual clearly describes the correct usage of trademarks and the laws that cover the many different aspects of trademarking.
If you are looking to correctly classify your trademarks in accordance with the Nice Treaty, which is one of the main treaties governing the world trademark system, then International Trademark Classification: A Guide to the Nice Agreement is the essential manual you need. The advice included in this handy desk reference is fully in line with the ninth edition of the Nice Classification.
The above manual is written by a high authoritative author, Jesse N. Roberts who is the administrator of trademark classification at the United States Patent and Trademark Office.
Many organisations choose to license their trademarks, patents and copyrights to third parties for economic and other purposes. However, if you don’t understand the fundamentals of doing so, you can soon find yourself bogged down in a legal mire.
Essentials of Licensing Intellectual Property distils the key information you need to know if your organisation is considering licensing its IP to third party organisations. It demystifies the entire process of IP licensing by providing best-practice processes for every key stage of IP licensing.
There are many different agreements and treaties governing the many different types of intellectual property. IT Governance have scoured the world of publishing to assemble the best selection of both practical and authoritative books on the subject. Whether you are looking for a book covering the TRIPS Agreement or the Nice Treaty, then you will find it here:
For those who want to go about creating a portfolio of IP, knowing where to start can be very confusing and frustrating. Knowing how to protect IP, which treaties and agreements apply, and understanding the IP management process from creation to fruition are key requirements.
The Handbook of Intellectual Property provides a one-stop resource covering the main aspects of IP. Whichever aspect you are looking for, the information in this book is bound to be of interest to you.
It is often not appreciated how much value the effective management of IP can bring to an organisation. However, this is understandable, as IP is, in itself, intangible. In Tangible Strategies for Intangible Assets, the author provides methods for measuring, realising and managing an organisation’s intellectual property. The methods covered include the Balanced Scorecard approach amongst many others. Sample case studies are given of how the methods in the book have been used successfully, including eBay and Amazon amongst many others.
This briefing paper draws a number of onclusions, based on a programme of in-depth interviews with business leaders
and industry analysts, and combined with extensive desk research, all carried out by the Economist Intelligence Unit.
“That business risks are proliferating in an
increasingly competitive world is beyond
dispute. Risks to business continuity and
to intangible assets such as intellectual
property and reputation are rising as the
economy becomes ever more global.
At the same time, the post-Enron era has
brought heightened focus on the role and
responsibility of corporate boards and their
members. So, just how high is risk
management on the corporate agenda?
This paper explores the extent to which
risk is now a board-level responsibility,
what boards see as their risk-related
priorities, and what they do and don’t do
to implement effective risk management
strategies throughout their organisations…”
Our new column, “Ask the Auditor,” answers real questions submitted by real readers. This week, certified internal auditor and certified information systems auditor Dan Swanson answers the question of who is responsible for information security.
By Dan Swanson
A Reader Asks: Who is responsible for information security?
The Auditor Responds: In short, the board of directors, management (of both staff and business lines), and internal audit functions all have significant roles in auditing information security. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive data is being done—and that the company’s key assets are protected appropriately.
1) Staff and line-of-business managers must have a voice in the design and implementation information security programs, since these managers are ultimately responsible for protecting and enhancing the value of the organization’s assets, including information assets. Managers must also review and monitor security controls to ensure they are appropriate, despite ever-changing risks and business requirements. This is, in fact, a form of auditing information security. And, finally, managers who own business-unit information should also help define their security requirements, based on business objectives, the significance of the information involved, legal requirements, and the seriousness of threats to data privacy.
Under a separate category of management, information security managers should organize and implement the organization’s information security program, including its monitoring (testing) program.
Although business managers often try to assign information security responsibilities to an information security management function, all parts of the organization have information security responsibilities. Security goals include a mixture of technical, procedural, and oversight controls, all of which should be reviewed or tested to ensure they are (a) adequate, as defined to mitigate information security risks, and (b) reasonably effective in practice.
Finally, executive management must provide leadership to ensure that information security efforts are supported and understood across the organization. Executive management must also dedicate sufficient resources to allow controls to be effective.
2) The board of directors must provide oversight at a level above other business managers. The director’s role in information security is to ask managers the right questions and encourage the right results. Directors must set the right tone at the top, communicating to executive management the business imperative of effective information security management.
3) The internal audit function provides strategic, operational, and tactical value to an organization’s operations. For example, internal auditing:
Ensuring that information security systems and management are subject to audit and review by qualified professional reviews and audits, corporate leaders advance the goal of overseeing the organization’s information security program and ensuring its continuous improvement and success.
To fulfill its potential, the internal audit function needs to:
Information security auditing should be planned with an eye to ever-changing technical and business environments. The auditing function should “complement,” but never replace, management’s responsibility to ensure their IT controls are operating properly.
Proactively studying “what’s new” is a fundamental requirement for implementing and auditing information security effectively. Landmark guidance is issued every few years. These “classics” offer important knowledge relevant to all security stakeholders. The following list represents several classics, as well as some very new information, from a variety of leading resources relating to information security and its control and auditing.
1. The Computer Emergency Response Team (CERT) program has developed extensive guidance regarding information security, security management, security governance, and the assessment of risk. CERT is part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University. Some of its most interesting resources explore:
2. The Corporate Information Security Working Group (CISWG) has produced guidance on the development of information security metrics and created a definitive summary of information security management references. CISWG is a program formed by Adam H. Putnam, chairman of the Subcommittee on Technology, Information Policy, Intergovernmental Relations & the Census of the Government Reform Committee, of the U.S. House of Representatives. Its publications include:
3. Executive Guide: Information Security Management: Learning From Leading Organizations
4. Microsoft’s Security Risk Management Guide
5. The International Systems Security Engineering Association (ISSEA)
6. How to Become an Information Security Professional
7. US Security Awareness—Information Security Auditing
8. The SANS Institute and its SCORE Checklist Project: ISO 17799
9. The Center for Internet Security
10. The Information Systems Security Association (ISSA)
11. The Computer Security Division (CSD) of the National Institute of Standards and Technology (NIST), including the Federal Information Security Management Act (FISMA) library
13. The Open Web Application Security Project
1. The Institute of Internal Auditors (IIA) has published a series of three board-level guidance reports focusing on information security that focuses on assigning responsibilities to the board, management, and internal audit, and providing guidance to board directors.
2. “Avoiding IS Icebergs,” by Dan Swanson
3. Management Planning Guide for Information Systems Security Auditing, from the National State Auditors Association and the US General Accounting Office
4. Information Security Oversight: Essential Board Practices, from the National Association of Corporate Directors (NASD)
5. Information Systems Audit and Control Association (ISACA), and IT Governance Institute
6. AuditNet
7. The Global Technology Audit Guides (GTAG)
8. The Canadian Federal Government Internal Audit Guides
9. The IT Process Improvement Institute
10. The Center for Education and Research in Information Assurance and Security
Do you have something to ask the auditor? Send your question to editor@itcinstitute.com. We will try to answer it in a future column.
A software engineer says he accessed a New York City cab’s video display system files after seeing an error message on the screen.
By K.C. Jones
InformationWeek
A New York City software engineer managed to gain access to the operating system for a touch-screen display available in the back seat of many Manhattan taxicabs and also used it to connect to the Internet. But no sensitive information or critical systems were compromised, according to the display systems vendor. The display is used to present short videos and ads to taxi riders, and can be used to pay the taxi fare with a credit card. A VeriFone Transportation Systems spokesman told InformationWeek Thursday that passengers’ credit card data is encrypted and isn’t stored locally, so it wasn’t compromised. He also said the cab had an outdated modem, used while the city tested the display systems.
Billy Chasen posted photos on his blog earlier this month showing that he accessed a New York City cab’s video display system files after seeing an error message on the screen. The artist and software engineer explained in the blog that he managed to open Internet Explorer, launched the Connection Wizard, selected aSprint (NYSE: S) card for a dial-up connection, and accessed Adobe (NSDQ: ADBE)’s Web site.
Chasen said he opened files and “had full administrative access to everything on the PC.”
“It was not only a security flaw, but people also pay with the screen if they use a credit card,” he said, adding the information could be stored locally.
“What I did was a much bigger problem than GPS tracking,” he said. “You’re essentially giving strangers access to a computer that is shared with hundreds of customers.”
Chasen went on to say that he could have installed software from the Internet.
The VeriFone spokesman, however, said Chasen had merely accessed media files, and passengers could not gain control of sensitive information.
“It’s a Windows-based system, so I could never say never,” he said. “But there is no credit card information stored in the system.”
The spokesman said the meter is integrated into the display system but not reliant upon it, so errors and unauthorized access would not affect meter functioning. He also pointed out that the New York City Taxi and Limousine Commission strictly regulates fares and meters.
“If the meters weren’t functioning right, the TLC would be all over it,” he said.
He also responded on Chasen’s blog, saying VeriFone investigated the incident, the old modem was replaced, and users cannot access editing tools on the system.
The new taxi technology systems, which are required for all New York cabs, generated controversy earlier this year and prompted some cab drivers to protest because they feared they would be monitored and tracked by GPS technology.
Research from the IT Policy Compliance Group illustrates what works to protect sensitive data
CUPERTINO, Calif. - Dec. 5, 2007 - The IT Policy Compliance Group today announced the availability of its latest benchmark research report titled “Core Competencies for Protecting Sensitive Data” (PDF 1.5MB). The report, which incorporates responses from more than 450 organizations globally, concludes that only one in ten organizations is in the enviable position of adequately protecting their sensitive data. The report also analyzes the variables between those companies that are leaders and laggards in the area of data protection, providing insight into which actions and best practices can lead to less data loss, improved compliance results and sustained competitive advantage.
About IT Policy Compliance Group
The IT Policy Compliance Group is dedicated to promoting the development of research and information that will help IT professionals meet the policy and regulatory compliance goals of their organizations. It is supported by several leading organizations including: the Computer Security Institute, The Institute of Internal Auditors, Protiviti, Information Systems Audit and Control Association, IT Governance Institute, and Symantec Corporation. The group conducts fact-based benchmark research to determine the best practices that result in improvements to IT for organizations. More information is available at www.ITPolicyComplia
