|
|
|
|
|
Thursday, May 15, 2008 6:49 PM/EST
Yesterday, May 14, the PCI Standards Council, the body that oversees the PCI DSS (Payment Card Industry Data Security Standard) announced the formal timeline for releasing Version 1.2 of the specification in October of this year. PCI DSS was last revised in September 2006 and is still one of the most interesting security mandates in the IT industry. It is specific, it has no legal standing (i.e. it isn't mandated by legislation), and it carries clear and enforceable punishments for noncompliance. Version 1.2 eliminates some overlap in various parts of the standard. What exactly is in 1.2 will be revealed at a Webcast that I'll be attending and reporting on that will take place May 22. The standard tries to address the challenges of driving security into the previously unregulated consumer retail space where there is a high volume of relatively low-value transactions in which buyers and sellers can have...
Wednesday, May 14, 2008 4:10 PM/EST
Digging through my e-mail, I came across some analysis by Shavlik that summarized the company's findings of polls conducted in April at the RSA Conference and Infosecurity Europe. Shavlik makes security, compliance and update tools aimed primarily at Windows systems, so unsurprisingly, the poll results showed a need for the company's products. And just because this is so, the conclusions of the analysis coincide with a position that I've advocated for some time: that a well-managed network is a foundation of a secure network. The survey analysis supplied by Mark Shavlik, CEO of Shavlik Technologies, highlighted that "Companies are increasingly recognizing the need to automate operations in order to streamline compliance as an ongoing business process. But too many organizations still don't have a standard approach, which leaves gaps in their security infrastructure ... solutions that simplify, automate, and provide better control over security and compliance management." The survey results...
Thursday, February 21, 2008 7:56 PM/EST
I've just returned from the Emerald City (Oracle's Redwood Shores HQ) where I was given a demo of the latest version of Oracle Enterprise Manager 10g Grid Control, Release 4. After reviewing Oracle Database 11g I felt it was time to take a look at Grid Control R4, released in November 2007. I was just able to scratch the surface of the Oracle ecosystem manager in the over 3 hours of demonstration time. My basic takeaway is that database and system administrators should definitely get the basic Enterprise Manager 10g Grid Control R4 product, which is available at no extra license cost with most Oracle products. I'll take a closer look at the add-on management packs that Oracle charges for when I take a full look at the product. In most respects, the basic shape of Grid Control R4 is comprehensive systems and application management. The three-tier architecture uses agents...
Tuesday, December 18, 2007 6:36 PM/EST
I had the pleasure of speaking with Alex Tatistcheff, information security manager for Idaho Power, on Dec. 12 about his implementation and use of nCircle's CCM (Configuration Compliance Manager). Anyone interested in compliance management, especially for servers, would do well to take a look at the case study. There's also a review of nCircle's product and a slide show of CCM in action. There is also a related case study on the Denver International Airport's PCI compliance steps. Idaho Power is primarily using nCircle for Sarbanes-Oxley Act compliance and Denver International's project was aimed squarely at PCI compliance. I'd like to circle back to both organizations in about a year to see if they've expanded the use of their auditing tools to other compliance projects. My guess is that they will. IP was talking about NERC (North American Electric Reliability Corporation) infrastructure protection regs for which it might use nCircle....
|
|
