Monthly Archives: November 2008

ITWeb :PCI standards must be adopted

PCI standards must be adopted


[ Johannesburg, 26 November 2008 ] – Symantec has called on South African businesses to widely adopt the Payment Card Industry (PCI) Data Security Standard as a way of improving card security.

Compliance is an essential part of risk management, says Errol Rhoden, IT governance, risk and compliance solutions manager for Symantec emerging region.

“The reality is that companies lose out if they don’t prioritise governance and compliance. The financial implications are huge, with companies which don’t comply with standards receiving tremendous fines. There are also general financial losses which should be considered.”

Currently, organisations which deal with credit card payments have to show compliance with the standard, while finding solutions to challenges such as data breaches and the growing impact of cyber crime.

“The underground criminal activity is growing and becoming more effective. There are also activities, such as corporate warfare, where there are attempts to damage companies’ reputations by other companies or individuals,” explains Rhoden.

He believes the data security standard needs to be willingly adopted by companies to ensure it works effectively, saying: “The standards which guide companies on governance policies need to be accepted by industry. It is a business standard and not a government standard. So it cannot be forced on anyone. Companies need to see the benefits of adopting this.”

Firms that adopt the standard and fail to comply will face fines, to be determined and enforced by banks or similar bodies.

“The South African situation is different as regulations are different, and this has impacted on the slow adoption of the standard. Something like the fact that banks are not required to send notifications to customers if there is a security breach in their account, will definitely be impacted by the standards.”

The standard will be adopted in SA in February 2009, with plans to ensure all industries involved in card payments are fully compliant in September 2010.

ITWeb :PCI standards must be adopted.

IT Management Building an IT Governance Foundation – Baseline

While organizations have similar goals such as controlling costs and achieving data consistency, IT departments across government, corporations and nonprofits operate differently. IT management needs an overarching governance model like CobiT, ITIL, CMM and Six Sigma to ensure that investments in technology generate business value and mitigate risks.

Information technology governance defines the overall structure, policies, processes and relationships necessary to provide the desired level of standardization and consistency across an IT organization. It encompasses systems, performance measures and risk management procedures, helping organizations make informed decisions about their operations and investments. While organizations have similar goals—such as controlling costs and achieving data consistency—IT departments across government, corporations and nonprofits operate differently.

Even after a rigorous focus on compliance initiatives—and the widespread acknowledgment that large-scale, complex, strategic IT projects commonly progress beyond scope and budget without due attention—standardization around IT governance models is still being sought.

When organizations are examined and the use of best-practice disciplines are polled, a number of frameworks and standards for varying aspects of IT operations are found. These frameworks typically include:

* IT Infrastructure Library (ITIL), developed by the United Kingdom’s Office of Government Commerce, focuses on service support and service delivery.

* ISO/IEC 27001 (ISO 27001) consists of a set of best practices to implement and maintain an information security program.

* AS8015-2005 is the Australian Standard for Corporate Governance of Information and Communication Technology.

* Capability Maturity Model Integration focuses on software engineering, people and implementation.

* Balanced Scorecard is a strategic planning and management system used to align business activities to the organization’s vision and strategy.

* Six Sigma is a manufacturing-based system focusing on quality assurance.

IT management needs an overarching governance model to ensure that investments in technology generate business value and mitigate associated risks. The model should also provide a common language for IT and users, enable more focused planning, and create a level of standardization, consistency and predictability.

First published in 1996, Control Objectives for Information and Related Technology (CobiT) provides a set of generally accepted best-practice objectives to help maximize the benefits derived through IT use. It further aids in developing appropriate IT governance and control in an organization. Managed by the Information Systems Audit and Control Association and its research body, the IT Governance Institute (ITGI), CobiT became the IT governance standard against which auditors measured process and control maturity in support of compliance with the Sarbanes-Oxley Act of 2002.

CobiT provides a control- and objective-based foundation upon which decisions and investments can be based. These include defining a strategic plan; defining the information architecture; acquiring the necessary hardware and software to execute a strategy; managing projects; ensuring continuous service; and monitoring the performance of the IT system.

This is achieved by providing tools to assess and measure the performance of 34 high-level processes that cover 214 control objectives, which are categorized in four domains: Plan and Organize; Acquire and Implement; Deliver and Support; and Monitor and Evaluate. By implementing processes and procedures supporting the CobiT objectives and identifying and monitoring associated controls, users and auditors will recognize greater reliability and performance throughout the enterprise.

Building IT Governance: Overcoming Challenges

Throughout IT organizations, common themes are described as areas of opportunity: improve project planning and investment; increase collaboration and information sharing; facilitate effective communication and transition across the lifecycle; control cost while providing efficient operations and support; enhance service delivery; and improve security. These themes are usually approached as individual programs or are carefully orchestrated as an overarching organizational transformation related to technology operations.

Certain areas, such as security and managing data across an enterprise, require heavy investment and monitoring. These are also areas that auditors commonly spend time scrutinizing and directing change for heightened control.

When remediation is essential, reactive solutions are typically implemented. Though necessary, these solutions can be costly and inefficient. Once a baseline is set, however, and the auditors leave, it is far more efficient for IT management to proactively design and support an improvement plan with cross-functional reach. The CobiT model can help with this.

By understanding the four domains and the underlying process areas, IT management and staff can begin communicating from a common frame of reference. Leveraging the CobiT toolkits, IT management can promote a standard set of metrics, process structures, improvement plans and self-assessment mechanisms. This allows each area to initiate, report and monitor in a similar fashion.

In almost every change-management or operational-improvement approach, stakeholder involvement is critical, yet this is often where things fall apart. Think how many project managers ask for executive stakeholder meetings to communicate issues and detailed plans. Now ask how many IT managers have enough time to devote to such detail. The answer would be “very few.”

With an understanding of CobiT and having a common approach to managing and measuring processes, IT management will have an informed understanding of the objectives to be achieved. This understanding allows IT management to focus on the actions that require their attention, enabling the program to stay on track based on meaningful risk and opportunity reviews.

From the ITGI CobiT 4.1 framework document, the four domains and their relationships are described and the related process areas listed. The relationships can help IT management focus on areas of opportunity or risk.

Plan and Organize (PO) provides direction to solution delivery (AI) and service delivery (DS); Acquire and Implement (AI) provides the solutions and passes them to be turned into services; Deliver and Support (DS) receives the solutions and makes them usable for end users; and Monitor and Evaluate (ME) monitors all processes to ensure that the direction is followed.

A governance framework is worthwhile only if it is actually used; otherwise, it becomes a waste of money and a burden to the staff. To be effective, its language must permeate regular conversations among the leadership team and find its way into dashboards and documents.

By using CobiT tools, IT management can quickly assess strengths, weaknesses and opportunities. It can then reduce costs, improve the top-line, enhance customer service, or meet compliance and regulatory reporting by balancing risk mitigation and process improvement in a proactive fashion.

Building IT Governance: Collaboration and Support

As an example, one state government’s IT strategic planning group wanted higher levels of collaboration and a stronger sense of support. The sense of buy-in across multiple agencies would strengthen appropriation requests for strategic initiatives, allowing for economies of scale, including:

  • Solutions that address and automate inter- and intra-agency business processes
  • Smaller, more focused teams to drive progress more quickly
  • More statewide, standardized technology platforms and tool sets
  • Enhanced information sharing and increased reusability
  • Lower total cost of ownership for solutions.

To achieve its goals, the state government embarked on a more collaborative planning effort, beginning with an agency director approach. This top-down model was meant to align agencies having similar business-oriented goals and challenges. Facilitated discussion and collaborative decision making identified and defined capabilities that would help alleviate challenges in support of goals that could be met through technology. This transition—from business-driven need to technology-based capability—also allowed the agency directors to communicate more effectively with the IT directors.

The transition to technology occurred when enabling capabilities, such as business intelligence, were identified. More than 50 agencies were represented and more than 100 directors, chiefs of staff, and IT leads collaborated in the process to iterate balanced objectives and identify existing and new initiatives.

The state’s intent for the strategic planning process was a set of IT-oriented priorities that support state and agency business goals and can be translated into a set of recommended projects and budgets. With the iterative, collaborative process utilized, it was essential to be sensitive to time and competing priorities. In support of the process, the state established a legislative technology committee and formalized the agency director advisory committee.

The state’s approach—developing output for the framework—was designed to facilitate discussion and move quickly toward decisions in a collaborative fashion that built support and consensus.

Looking at CobiT’s Planning and Organizing domain, the very first process area is Define a Strategic IT Plan. This satisfies the business requirement for IT to sustain or extend the strategy and governance requirements, while still being transparent about benefits, costs and risks.

Another CobiT process area, Define the IT Processes, Organization and Relationships, has several applicable objectives. These include Defining an IT Process Framework, Establishing an IT Strategy Committee and Establishing an IT Steering Committee.

The state government achieved several CobiT objectives through its planning process, which had the goal of developing a long-term strategic plan—not overtly aligning with the CobiT framework. This is a model of success that other standard and framework maturity programs can learn from.

{mospagebreak title=Building IT Governance: IT Governance Transformation

Enabling IT Governance Transformation

The steps enabling transformation—in the context of an IT governance, compliance or enterprise risk management initiative—describe a business process. Similar to any other business process, it must be documented, followed with discipline and improved with every iteration.

For a successful CobiT experience, always begin from a perspective of knowledge and leverage experienced support. Implementing an enterprise risk management, compliance or IT governance program is like any other transformation: It must have the support of a dedicated team to be successful.

Lessons taken from enabling organizational transformation hold true for an IT governance program to reduce cost and effort, while enhancing chances of success and building support across an organization. There are only so many tasks that one person or a group working part-time can push forward simultaneously.

For an IT governance effort to succeed, therefore, dedicated resources must be allocated, IT management must have a common understanding to allow for more focused decision making, and progress must not be predetermined by an arbitrary schedule, such as a quarterly earnings call.


  • Define a strategic IT plan.
  • Define the information architecture.
  • Determine the technological direction.
  • Define the IT processes, organization and relationships.
  • Manage the IT investment.
  • Communicate management aims and direction.
  • Manage IT human resources.
  • Manage quality.
  • Assess and manage IT risks.
  • Manage projects.


  • Identify automated solutions.
  • Acquire and maintain application software.
  • Acquire and maintain technology infrastructure.
  • Enable operation and use.
  • Procure IT resources.
  • Manage changes.
  • Install and accredit solutions and changes.


  • Define and manage service levels.
  • Manage third-party services.
  • Manage performance and capacity.
  • Ensure continuous service.
  • Ensure systems security.
  • Identify and allocate costs.
  • Educate and train users.
  • Manage service desk and incidents.
  • Manage the configuration.
  • Manage problems.
  • Manage data.
  • Manage the physical environment.
  • Manage operations.


  • Monitor and evaluate IT performance.
  • Monitor and evaluate internal control.
  • Ensure compliance with external requirements.
  • Provide IT governance.

Adam Nelson is director of management and IT consulting at Keane, a global IT consulting firm headquartered in San Ramon, Calif.


Gartner – Visa sets Global PCI deadline

Visa announced a global compliance program for the card industry’s key security standard. But many issues remain, including unclear European deadlines and the treatment of merchants that have chip card processing in place.

On 10 November 2008, Visa announced new global standards for compliance with the Payment Card Industry Data Security Standard (PCI DSS) designed to create a consistent worldwide framework for compliance by merchants, service providers and others. The new standards include a global set of requirements for merchants accepting Visa payments to validate compliance with PCI DSS, deadlines for the largest merchants to achieve validation, and deadlines for large and mid-level merchants to demonstrate that they are not storing certain types of sensitive card data. The new deadlines and processes do not, however, apply to European merchants and service providers.


The Visa announcement provides some much-needed clarification for the PCI DSS compliance and validation process for some merchants and service providers outside the United States. Visa merchants and service levels are aligned across most world regions, and deadlines and requirements have been set for demonstrating PCI DSS compliance. Nonetheless, several critical PCI DSS questions remain:

  • Visa deadlines and processes will be different in Europe, because Visa Europe is an independent licensee of Visa international. The absence of published deadlines for European companies leaves that region in its current confused state of PCI compliance.
  • Although Visa has once again taken the lead among card brands in moving the PCI compliance process forward, Gartner is not aware of any similar transparent global enforcement efforts or deadlines announced by American Express, Discover, JCB or MasterCard.

Moreover, many of the affected merchants and processors in the different global regions (including Latin America and Asia) — unlike their counterparts in the United States — have already spent considerable sums upgrading their infrastructure to support card brand mandates to roll out chip and personal identification number (PIN) cards. These same companies must now begin the often-costly PCI compliance process. Merchants Gartner has consulted believe they should be granted some type of compensation (in the form of reduced PCI compliance requirements or extended deadlines) for their chip and PIN support. Visa has indicated that some limited compensation is available to the largest European (Level 1) retailers, whose acquirers may, at their discretion, recategorize them to Level 2 if they have successfully deployed Europay, MasterCard and Visa (EMV) Chip and PIN, and EMV chip cards are encoded with iCVV (card verification value for integrated circuit cards).


Merchants and service providers:

  • Continue to focus on strengthening cardholder data security first, because PCI compliance will follow by default.
  • Begin securing your cardholder data and systems now, and do not wait for your acquiring bank to contact you about PCI compliance.

Visa Europe:

  • Publish deadlines and processes for European companies that must comply with PCI standards.

All card brands:

  • Strengthen the security of the payment system by recognizing that magnetic stripes on cards will not go away until all countries and cardholders move to chip and PIN, and by adding cardholder authentication to magnetic-stripe cards
  • Create a new Self-Assessment Questionnaire with further-reduced PCI DSS compliance requirements for merchants who have upgraded to chip and PIN infrastructure and are not storing any electronic cardholder data.

visa_sets_global_pci_deadlin_163330.pdf (application/pdf Object).

NIST Requests Comments on Next Generation CA Process for Information Systems

NIST Requests Comments on Next Generation C/A Process for Information Systems

National Institute of Standards & Technology

Release date: August 19, 2008

The National Institute of Standards and Technology (NIST) has released for public review and comment a major revision to its security certification and accreditation (C&A) guidelines for federal information systems. A substantial rewrite of the original document, the new Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach, represents a significant step toward developing a common approach to information security across the Federal government, including civilian, defense, and intelligence agencies, according to NIST security experts.

When finalized, the revised guide will replace NIST Special Publication 800-37, which was issued in 2004 under the title Guide for the Security Certification and Accreditation of federal Information Systems. Like the original, the revised guide maps out a basic framework for managing the risks that arise from the operation and use of federal information systems, the measures taken to address or reduce risk, and a formal managerial process for accepting known risks and granting-or withdrawing-authorization to operate information systems. The guide emphasizes the need to treat information security as a dynamic process, with established procedures to monitor, reassess and update security measures to maintain the authorized security state of an information system. The revised security authorization process is designed to be tightly integrated into enterprise architectures and ongoing system development life cycle processes, promotes the concept of near real-time risk management, capitalizes on investments in technology including automated support tools, and takes advantage of over three decades of lessons learned in previous approaches to certification and accreditation.

Since 2003, NIST has developed and published information security standards and guidelines under the Federal Information Security Management Act (FISMA). While the NIST methodology for analyzing, documenting and authorizing the security of information systems is widely followed by federal agencies operating non-national security systems, other frameworks have coexisted with it for national security systems, including the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) and the National Information Assurance Certification and Accreditation Process (NIACAP). This first revision to SP 800-37 is the result of an interagency effort that is part of a C&A Transformation Initiative working toward a convergence of information security standards, guidelines and best practices across the government’s civilian, defense and intelligence agencies. NIST is participating in this effort along with the Office of the Director of National Intelligence (DNI), the Department of Defense (DOD) and the Committee on National Security Systems (CNSS). Future updates to NIST FISMA publications will continue this convergence towards common standards and procedures.

Copies of the initial public draft of SP 800-37 Revision 1 are available from the NIST Computer Security Resource Center at NIST is requesting comments on the draft by Sept. 30, 2008.

Media Contact: Michael Baum,, (301) 975-2763

NIST Requests Comments on Next Generation CA Process for Information Systems, Natio.

International Challenges in PCI Security

In a country that’s seen many regulatory compliance challenges this decade, the headaches of PCI security tend to be analyzed from a largely American perspective.

In the process, companies tend to forget that PCI compliance has been a recipe for international indigestion.

“Remember that credit cards are used abroad, and many American companies have personnel handling credit card transactions in offices all over the world,” says Bruce Larson, security director at American Water, a major water utility that employs more than 10,000 people. “If you have a multinational organization, your data is not just sitting in the U.S.”

There may be some irony in hearing that from someone whose concerns are mostly based on security threats inside the U.S. Larsen has to worry about everything from cyberattacks targeting computerized water filtration systems to terrorists who might try to bomb pipelines or poison the water supply. He also loses sleep whenever there’s the chance of a natural disaster.

The inconvenience of online, global commerce

But more people are using credit cards to pay the water bill online, and he knows the credit card data is floating around in databases outside the U.S. Losing any of that data could be a body blow in terms of public confidence. Then there’s the fact that American Water does business with vendors across the globe.

“I have a very geographically distributed network — more than 1,500 locations where humans work, 150-200 of those are critical operations facilities,” Larson told attendees during a PCI security seminar CSOonline held in New York in September.

For Harshul Joshi, director of IT-risk and advisory services at CBIZ and Mayer Hoffman McCann P.C. (MHM), a professional business services company, doing business internationally can make for a lot of confusion regarding the PCI security ground rules.

“When we deal with non-U.S. companies, there is often confusion over what PCI security requires,” Joshi says. “We work with one of the largest magazine publishers with operations around the globe and if you dial an 800 number, chances are you’ll be talking to someone in a call center in Vietnam. You give your credit card number and it is recorded somewhere outside the U.S.”

On the outside looking in

If a company is based outside the U.S. — in Sweden or Ukraine, for example — the problem is usually a lack of communication and money regarding PCI security needs.

Dmitriy Tsygankov, director of the corporate customer care center at a bank based in Europe, says Visa USA tends to offer American companies more incentives and assistance for their compliance efforts. As an example, he mentions the US$20 million in financial incentives Visa USA offered nearly two years ago to encourage quicker adoption of the standard.

“Why does Visa USA offer merchants a $20 million bonus to become compliant and not other regions?” he asked. He suspects it’s because e-commerce is more popular and profitable in the U.S. In the bigger picture, he says, it can be harder for foreign companies to come up with the cash needed to achieve compliance.

No financial incentives were mentioned in a recent statement from Visa Inc. announcing new global PCI compliance deadlines. Under the deadlines, announced last week, global merchants and service providers must show by Sept. 30, 2009 that they are not storing full magnetic stripe data (track data), security codes or PIN data after a transaction is approved. Sept. 30, 2010, is the deadline for all service providers and Level 1 merchants to file compliance reports.

David Taylor, founder of the PCI Knowledge Base, agrees companies outside the U.S. don’t enjoy the same degree of financial support. “There really are no global incentives, just a marketing pitch in the Visa Global PCI Deadlines announcement last week to service providers,” he says.

Visa spokesperson Rosetta Jones confirmed Monday that the company does not currently offer any financial incentives for merchants outside the U.S.

“While Visa USA did offer some monetary incentives for U.S. merchants for a short period of time, the major motivator for merchants to achieve compliance has been their desire to properly protect cardholder data and to prevent being the target of a data compromise,” she says.

Keep the global perspective

Regardless, security experts agree companies must look at PCI security as a global mandate and ensure that the same controls used in the U.S. are being used elsewhere. There’s a danger of that not happening when companies find themselves deep in the weeds trying to get their arms around the sheer scope of the standard, says Daniel Blander, a CISM, CISSP and president of Techtonica Inc. in Los Angeles.

His advice is to not let the scope of the challenge get the better of the organization, and use every remediation and control to give something back to the business that provides a non-PCI return on investment.

“File integrity monitoring is great for improving the quality of implementations and maintaining configuration standards if used correctly; configuration standards can improve the delivery of services and systems by promoting consistency,” he says, noting that’s good for business as a whole — wherever in the world the company operates from.

Hospital fires up to 6 for accessing Pressly’s files

St. Vincent Health System fired as many as six employees last month for improperly accessing the records of Little Rock morning television anchor Anne Pressly while she was a patient at the company’s main hospital, the chief executive confirmed Wednesday morning.

System President and Chief Executive Officer Peter Banko said that while Pressly, 26, was still alive and a patient at St. Vincent Infirmary Medical Center in Little Rock, a routine patient-privacy audit showed that as many as eight people gained access to her records improperly.

“Those records were being audited every day,” he said, “and as soon as we learned of a possible breach, we investigated.” All eight were placed on leave pending a swift investigation, which determined that at least two had valid reasons for viewing Pressly’s records, Banko said.

“The others, and I won’t say how many exactly, the rest we terminated immediately on the same day,” Banko said. “I will say it was more than one.” Dismissal was a natural penalty for any breach of a patient’s privacy rights, he said.

“Patient privacy is a matter of law, and it is a matter of policy for us,” Banko said. :: Northwest Arkansas’ News Source.

Do Federal Agencies Belong in Cloud Computing Networks?

Given the current state of the economy and the yawning federal deficit, the efficiency and cost-savings associated with cloud computing are prompting U.S. federal IT agencies to flirt with the cloud platform. Slowly, of course, since it is the government, after all.Cloud computing has become so pervasive in the enterprise that even federal agencies are moving—slowly, of course—in the direction of on-demand computing. Given the current state of the economy and the yawning federal deficit, the efficiency and cost-savings associated with cloud computing may prompt an even quicker shift to the cloud.

“In many cases, agencies are already using the Internet,” said Drew Cohen, a vice president in Booz Allen Hamilton’s Defense IT practice who is working closely with federal agencies. “The words and terms are new, but the core tools have been evolving for some time. It’s really just a maturing of things that are already going on.”

DISA (Defense Information Systems Agency), for instance, awarded contracts in 2006 for on-demand computing services. The idea was for government customers to pay for computing and storage capacity on an as-needed basis instead of having to invest in new hardware and software. Interested customers had to work through the Defense Enterprise Computing Center to develop solutions.

Taking another step toward the cloud, DISA recently introduced RACE (Rapid Access Computing Environment), in which Department of Defense users go to a Web-based portal and provision their own operating environments based on standard Department of Defense architecture. RACE contractors include Hewlett-Packard, Apptis, Sun Microsystems and Vion.

“DISA likes that model in terms of supporting their customers,” Cohen said, though noting that DISA is developing its own cloud for a number of security and privacy reasons. “Building your own cloud is whole different thing. When you build your own cloud, when does it become a cloud?”

Research in the cloud

Other, more public-facing agencies are embracing the now traditional cloud platforms offered by, Google and Microsoft. In February, Google announced it was working with NSF (National Science Foundation) and IBM to allow the academic research community to conduct experiments and test new theories and ideas using a large-scale, massively distributed computing cluster.

Jeannette Wing, the NSF assistant director for the Computer and Information Science and Engineering Directorate, said in an open letter to the academic computing research community that the relationship would give government-funded researchers access to resources that would be unavailable to them otherwise.

According to Wing, NSF hopes the relationship will provide a blueprint for future collaborations between the academic community and private enterprise. “We welcome any comparable offers from industry that offer the same potential for transformative research outcomes,” she said.

Other agencies are also considering a move to cloud computing. After an October cloud computing seminar for government IT agencies, Cohen said more than 20 agencies approached Booz Allen for further insights on life in the cloud.

“Cloud computing gives the ability to go out and try things,” Cohen said. “The cloud offers the opportunity to unlock new ideas. A lot depends on the IT problems they are trying to solve. The rate of adoption [for cloud computing] depends on how and when they are taking up the problem.”

The U.S. government’s march to cloud computing faces steep barriers to adoption, particularly in the areas of security and privacy, but nothing insurmountable, Cohen said. “There are already vulnerabilities in our existing infrastructure that are not in the cloud,” he said. “In the cloud it is harder to exploit these known vulnerabilities.”

Government regulations are also a problem that must be addressed. FISMA (Federal Information Security Management Act), which dictates what federal IT managers can and cannot do with their data, was written before cloud computing developed. The ITAA (Information Technology Association of America) is already exploring what standards the feds might use in cloud computing.

Overall, Cohen predicted, federal agencies will take up cloud computing sooner or later. Given the slow pace of government agencies, though, “sooner” can often be much later.

Do Federal Agencies Belong in Cloud Computing Networks?.

Federal system administrators feel mandated efforts are improving IT security

For the third consecutive year, a majority of federal decision makers surveyed on cybersecurity say they are more confident about their agency’s information technology security posture now than they were four years ago. A large majority also said they are spending more time each year complying with mandated security requirements.

The figures, included in a survey of 223 IT officials in more than 40 civilian and Defense agencies released today by Cisco, seem to indicate that security mandates from Congress and the Office of Management and Budget are focusing on the right things. The top priorities were achieving compliance with the Federal Information Security Management Act (FISMA) and implementing the president’s Comprehensive National Cyber Security Initiative.

A primary element of the president’s cyber initiative is the Trusted Internet Connection (TIC), an effort to consolidate and better manage government network connections.

“I think that is a really good move, to focus resources on fewer connections,” said David Graziano, Cisco’s manager for federal security solutions. However, he could not say whether federal IT security really has been improving steadily during the past four years.

The survey is the fourth annual study conducted for Cisco by the research firm Market Connections Inc. It claims a margin of error of plus or minus six percent.

Although confidence in agency IT security has consistently been high in the surveys, the level increased this year to 60 percent of respondents, compared with 51 percent last year who felt that their security had improved. A similar number, 64 percent, said they are spending more time this year on mandated requirements. Only 6 percent reported they are spending less time on these issues.

Respondents were evenly split in making FISMA and the cybersecurity initiative top priorities, at 48 and 47 percent, respectively. However, close behind among the leading issues were achieving green status in the President’s Management Agenda, improving grades on the Government Accountability Office’s scorecard and the job of linking budget to program performance.

Graziano said that civilian agencies tend to be more concerned about FISMA compliance that those in the Defense Department, probably because DOD gets only one grade covering all of its services and offices in the annual FISMA report card. “A lot of people are protected by that,” he said.

However, DOD also has been a leader in initiating security programs, such as an interoperable smart ID card, that have been adopted by the civilian side of government. DOD also benefits from a clear focus on a single mission of protecting the warfighters and the network assets supporting them, which contributes to cybersecurity.

“They may be about a year ahead of the civilian side,” in cyber security, Graziano said.

Most administrators surveyed said that they still are focused on responding to incidents and putting out fires.

“It is a one-time security breach they are most concerned with,” Graziano said.

The security issues that keep of them awake at night are the exposure of personal data in security breaches, inadequately trained or unconcerned users and the impact on operations of a security breach.

More of the threats that respondents are worried about are coming from interactive Web 2.0 services, such as peer-to-peer communications and file sharing, remote access to data and social networking. One in five respondents reported they were involved in securing these technologies in their agencies. These are issues that administrators will have to come to terms with, like it or not, Graziano said.

So far, the use of online social networking and wikis for official business has been mostly limited to a few in-house sites for information sharing hosted on intranets in the intelligence community. But, “younger people joining the government workforce are used to these tools” and will expect to have access to them, Graziano said. “I think we are going to see some agencies adopt these and learn to manage them, while others will put up roadblocks. Those that embrace them will be seen as more forward thinking,” and might find it easier to attract new employees.

Concerning the president’s cyber security initiative, about 45 percent of respondents said they plan to manage their TICs entirely in-house, with another 32 percent managing at least some of the connections in-house. Only 19 percent plan to outsource their connections entirely.

“I think it’s a sense of controlling your own destiny,” Graziano said of these plans. Many agencies have had bad experiences in outsourcing networking services in which they did not get the quality of service or flexibility they wanted.

The primary challenges identified for meeting guidelines for the TIC program are maintaining service capability and the ability of security and network operations centers to handle the consolidated traffic. Getting adequately qualified staff also is a concern, as is the ability to perform deep packet inspection on network traffic.

There is a great deal of uncertainty over how much time and resources will go to the cyber initiative in the coming year.

“The budget dollars haven’t gone out to the agencies yet,” Graziano said. Priorities follow the money and officials do not know yet how much money they will have to spend on these issues.

Federal system administrators feel mandated efforts are improving IT security.

Inquiry Spotlight: Governance, Risk, And Compliance, Q4 2008 by Chris McClean – Forrester Research

Governance, risk, and compliance (GRC) continues to be a hot topic of interest for security and risk professionals. Between July 2007 and July 2008, Forrester’s security and risk management team received 1,798 inquiries on a variety of topics — 198 of which were from clients interested in GRC. Of the GRC-related inquiries recorded, 46% covered compliance best practices, 32% concerned GRC vendor selection, and 24% addressed risk management. Forrester doesn’t expect the focus on compliance to diminish drastically, but maturing companies are focusing more on how to manage a federated compliance program that encompasses all standards and regulations rather than managing separate initiatives for each. Inquiries about enterprise risk management and selecting comprehensive GRC management software platforms also echo the same trend toward maturity. Forrester recommends that professionals looking to adopt GRC programs begin by identifying where converging governance, risk, and compliance can provide greater efficiency and insight, and only then consider technologies that can support these benefits.

Inquiry Spotlight: Governance, Risk, And Compliance, Q4 2008 by Chris McClean – Forrester Research.

FTC Will Grant Six-Month Delay of Enforcement of ‘Red Flags’ Rule Requiring Creditors to Have Identity Theft Prevention Programs

The Federal Trade Commission will suspend enforcement of the new “Red Flags Rule” until May 1, 2009, to give creditors and financial institutions additional time in which to develop and implement written identity theft prevention programs. Today’s announcement and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.

The Red Flags Rule was developed pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under the Rule, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

The Rule applies to creditors and financial institutions. Federal law defines a creditor to be: any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor. Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, and non-profit and government entities that defer payment for goods or services. Financial institutions include entities that offer accounts that enable consumers to write checks or to make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

FTC Will Grant Six-Month Delay of Enforcement of ‘Red Flags’ Rule Requiring Creditors to Have Identity Theft Prevention Programs.