Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
IT Professionals Ignore Removable Media Risks
http://www.ebcvg.com/articles.php?id=765
IT Professionals Ignore Removable Media Risks
Author: IT-Observer Staff
Monday, 13 June 2005, 13:50 GMT
Companies’ information security expenditure could all be for nothing as they turn a blind eye to the threat of removable media, according to a recently published survey. The survey highlights that a large number of organisations are yet to address the problem of removable media even though they are aware of the associated dangers.
The survey on removable media in the workplace, conducted by mobile security company Pointsec, highlights that removable media devices such as media players and USB flash drivers are now routinely used by a huge number of employees in the vast majority of UK businesses, but with little regard to the security threat they pose.
With removable media plummeting in price, memory capacity soaring and more people using them at work, companies need to be aware of how easy it is for staff to use them, lose them or take competitive information away on them, all in the palm of their hands. If lost or stolen, vast amounts of valuable company information could seriously expose a company to extortion, digital identity fraud, or damage to their reputation, integrity and brand.
The survey conducted among some 300 IT professionals, reveals that: removable media devices are being used in 84 percent of companies, on average 31of employees within a company are utilizing them in the office, 90 percent of those surveyed were aware of the potential danger that removable media presents, 41 percent of IT professionals are not aware how easy it is to protect the data on a removable media device and 66 percent of IT professionals who use USB flash drivers admitted that they did not protect them with encryptions even though they are aware of the associated dangers.
"There seems little point in companies spending vast sums of money on information security if at the same time they're letting their staff use these devices at work which allow them unhindered access to download vast quantities of sensitive company information,” said Martin Allen, Managing Director of Pointsec UK.
"Storing information on devices is not a new problem - not so long ago it would have been information stored onto a 1.5mb floppy disk, however, now the problem is a much greater storage problem and therefore, needs to be dealt with in the security policy. Organisations need to introduce strict guidelines on the use of removable media devices in the workplace, as well as investing in encryption software which will allow administrators to force the encryption of all data put onto a mobile device. Using this type of software is just as vital and inexpensive as using anti-virus software, yet only a fraction of organisations have woken up to the problem."
Either 40 or 35 days after eoq. (Don't know where I come up with 25 days... in a dream maybe
-R
http://www.business-journal.com/survival/articles/bizpersfnance/SECDeadlines2-9.html
Tips for Meeting Accelerated SEC Filing Deadlines
02/09/04
CHICAGO -- As 2004 begins, companies are running out of time to refine their financial operations to meet accelerated filing deadlines with the Securities & Exchange Commission for their quarterly and annual results. In the coming fiscal year-end, annual financial reports -- known as 10 Ks -- must be filed with the SEC in 75 days, 15 days earlier than the current deadline.
Subsequent quarterly financial reports, or 10Qs, must be filed within 40 days of a quarter's end instead of the current 45-day requirement. Ultimately, the 10K-filing deadline will be shortened to 60 days, while the 10Q-filing deadline will be 35 days.
A recent study of 2003 second-quarter results by Parson Consulting suggests, however, that more than 60% of S&P 500 companies aren't yet meeting the shorter 10Q-filing deadline of 40 days for 2004 -- and more than 51% of those companies need to accelerate their financial reporting to meet the 75-day deadline.
"U.S. companies simply must speed up their financial-reporting processes to meet upcoming SEC filing schedules," says Rick Fumo, president of Parson Consulting. "Since filing deadlines are going to shorten over the next two years, it is advisable to improve their processes now in a methodical way that's sustainable over time."
Before companies can improve their financial operations, Parson Consulting recommends conducting a thorough assessment of their current capabilities, focusing on the following:
When will the 10Q come out... do they have only 25 days after the q to report? I expected the PP to be done by now and I do still expect another. But...
-R
Perhaps Dutton can make an estimate?
I'm afraid dots don't work for Wave any longer (been there done that.) It will take real numbers to change things in a big way. I do expect that this will take us well above a buck though.
I'm feeling better every day.
-R
No problem... I've been there before. It's more frustrating than a post of NEWS! with no links :)
-R
Everybody: Thanks for the Dell/Academies news.
Things are getting interesting. This is the sort of event that I'm (personally) looking for to see whether Wave's trajectory is less than or greater than 90 degrees. (Enough taxiing - sorry vader.) Watching and waiting... -R
Where was this? Do you have a link? At Dell the newest anouncements concerning the Air Force or Marines were dated in 2003. (Ok too lazy to search Navy, Army.)
-R
Slide 14 is the nut.
I see two ways up on this slide. 1) "No standard software..." I hope that we have the interoperablity and ability to make this a false statement in the not too distant future. 2) "Standardize on a single vendor for TPM enabled laptops..." Dell puts us in a sweet spot.
If Gartner has this level of appreciation then security minded groups in the govt and enterprise market are there too.
I wish we had some news to publish.
-R
Nevermind- Domestic Securities, Inc of Clark NJ.eom
A level two question:
Who is DOMS? I don't believe I've noticed them around much.
-R
Indeed Sys V isn't the same as BSD (the board of regents have proven that in court.) Nor Sys IV or Sys III ( or HP/UX, AIX, Solarix, Open MVX, Open-NT, or another flavor of Unix that ran on the Sperry systems of the early 80's... don't recall the name... oh, and there was the Nixdorf variant... - I'll admit to two glasses of wine).
Just wait whether you are invested or not. It will be in the Q2 and CC. Don't expect earth shattering numbers. However, Wave seriously needs to show something. The tech is good. The market is ripe. It is up to marketing, perception, branding, hype, smoozing, whatever.
The time is right for trusted computing. TC is developing a buzz. The key will be if Wave can connect. We have (who are invested) a solid technology to meet a real need. If you haven't invested wait until Q2 numbers for a major investment (is it 25 or 45 days from the end of the quarter?) If you're invested... hold on. All in my humble opinion - I'm a chicken I know.
Take care. Good luck and good night.
-R
He probably confused open source with open systems (more precisely Portabale Operating System Interface and eXchange - POSIX). The key is that (as I understand) OS X is based on the Berkley Software Distribution (BSD) of Dennis Ritchie and David Kernegin's (sp?) UNIX operating system developed at Bell Labs when what is now Lucent was developing truly ground breaking tech.
What is Linux based on? Who is Linux Tovil? (careful- I met with a Norse named Linux Tovil in the late 80's so I believe that I know.)
When I was still developing code (for money) I didn't have time to do this kind of stuff. Where are you and who do you work for or through? Go out and make money man! www.dice.com
-R
A day late and a dollar short...
The BSafe Data Security Manager will be ready for delivery in late September and will cost $50,000 for a developer license and $250,000 for an enterprise site license, according to company officials.
I hope.
-R
Weby: In my favorites folder. Thanks. -R
Thanks. Where did this come from? (Link?)
Very interesting...
-R
That's why I am too chicken to put in a limit order today! Honestly (I tell myself) I will not be greedy!
-R
Hi cmf: True... and I plan to evaluate the situation on the climb. But, I like to consider myself a strong holder in all of my investments and I'm afraid that I would become week in the knees if I didn't realize some profit. Selling a bit into strength (especially after a double) isn't a bad thing. Actually, recognizing some profit will make my core in WAVX (me and my insecurities) more resilient as I hope to hold those through 100.
-R
Trombone: I've nearly doubled my position over the last two weeks (got some today at .86 but it wasn't filled so now I have an odd 700 shares that will drive me crazy until I get to an even 000's.) Even at this SP WAVX represents over half of my portfolio... at $2+ I'm afriad I'd lose too much sleep if I didn't take some profit. I'd rather sell a little going up and feel good about the wisdom in recognizing a value. I guess I'm just not cut out to hang with "the club".
-R
kanubleveit- I know what your saying and agree. But, I'm hypersensative to those who are hypersensative... I am very guilty (not only of noting my opinion but of including parenthetical explinations which are positively unneeded.)
IMO if I can't control my self I should just delete myself.
-R
Thanks awk. If there is one thing that can sink TC it will be the "privacy" advocates. On page ten is an intel logo but the 'intel inside' has been replaced with 'big brother inside'. STUPID, STUPID, STUPID!
Given problems that Intel has had in the past with simple attampts to enumerate their processor I just cannot believe they would let that fly.
Looks very good. I look forward to reading the whole thing a bit later.
-R
Shall, can, may and will:
A engineers bane. Working with a reduced instruction set doesn't correlate to easier implemetation.
I used to develop open software for a living and standards based developement is no trivial matter. (I realize it -the TCG and its 1.2 TPM- is technically a specification at present. However most lay people don't distiguish a specification from a standard and you seem to assume an understanding of standard.) I can and have had rants about Wave's management (I'm cool now... took me a few weeks though), but I've never had an issue with either their technology, implementation or utilization (understanding it is new and paradigm shift for the IT industry -IMVHO). Over the years Wave has hired the prophets of their respective disciplines and (IMHO) the products well represent their expertise.
Look to the market and its acceptance/understanding of TC.
All in my very humble and ill informed opinion.
-R
You can buy their motherboards (w/TPM, bus, cache, maybe a NIC, and other assorted goodies) or buy their CPU to install on a motherboard you build yourself.
-R
It isn't about history it's about the future...
IMO the ability of Wave to leverage their competency with a changing (IMO developing) market should be looked at as a major positive. They're not a one trick pony.
WARNING Major pontification here- In the eweek article I posted earlier (the online version) had a link to learn more about their desktop management scheme. The link led to an article from early '93... the die may have been cast then and the mold is just now cool enough to open for the world to see the result. Patience.
Sola fide,
-R
Naval Academy knows its cybersecurity
Sorry if already posted.
-R
http://www.gcn.com/vol1_no1/daily-updates/35786-1.html
05/12/05
Naval Academy knows its cybersecurity
By Dawn S. Onley
GCN Staff
The United States Naval Academy beat out the four other service academies in the annual Cyber Defense Exercise, designed to equip students with the ability to protect the nation’s critical information systems.
Sponsored by the National Security Agency, CDX challenges each academy team to design, build and configure a real-world computer network simulating a deployed joint service command. A network operations “red” team, composed of NSA and Defense personnel, then identifies the vulnerabilities and attempts to hack each network over a four-day period.
The teams are evaluated on how well they maintain services, as well as on efforts to detect, respond to and recover from network security breaches.
“The CDX brings practical experience into the classroom,” according to a NSA release.
The United States Air Force Academy and the United States Military Academy tied for runners-up. Other participants were the United States Merchant Marine Academy, last year’s winner, and the United States Coast Guard Academy.
The NSA Information Assurance Director’s Trophy will remain at the Naval Academy until next year’s exercise.
TPM mentioned for differentiation... (Third para. Sorry if repeat post. How does one bold text?)
-R
http://www.eweek.com/article2/0,1759,1817010,00.asp
Intel Lightens IT Load with Baked-In Management Software
Building management directly into a PC is a step in the right direction, said one executive at a large PC maker, who wished to remain anonymous. But PC makers, who face intense competition, often deliver the same basic management technology across their desktop lines, and differentiate them with other features such as processor speed and hard-drive size.
Professional Business Platforms, by Intel's definition, must include a Pentium 4 630, 640 or 650 processor with hyperthreading—the chips range in speed from 3GHz to 3.4GHz—as well as the 945G chip set, which offers a faster, built-in graphics core. ADVERTISEMENT
The platform also will include the Intel Pro/1000PM Gigabit Ethernet adapter. Active Management, which requires the Intel Pro Gigabit Ethernet adapter, is an option on top of those.
It could well be too much for some, at least at first. PC makers instead might opt to spend money on security features, such as trusted platform modules, which can be used to differentiate themselves from competitors, the executive said.
To encourage adopters, Intel has been working to make the Active Management Technology attractive by collaborating with companies including Altiris, BMC Software, Checkpoint Software Technologies, Computer Associates, LANDesk Software, Novell, Symantec, StarSoftCom and Trend Micro.
"We've been working with all those companies to integrate Active Management into their paradigm. We're providing new hardware capabilities that can be exposed to those consoles," Ferron-Jones said. "You can get in there and do some diagnosis, all without user intervention … there's a lot to reduce desk-side visits."
The chip maker still doesn't expect that every Professional Business Platform PC will be fitted with Active Management Technology, Ferron-Jones said.
But Intel will continue to work on its business PC platform. Looking ahead to platforms for 2006 and beyond—where it will focus on boosting communications capabilities as well as on multitasking—the chip maker will add its dual-core chips, he said.
Dual-core chips are powering Intel's product-line shakeup. Click here to read more.
Although Intel has already delivered a dual-core Pentium Extreme Edition chip and will soon follow up with dual-core Pentium D next month, it's planning to offer them mainly to consumers and not to include them in the Professional Business Platform until 2006.
But the platform will gain dual-core chips in 2006 as well as additional, as-yet-undisclosed features.
"We will continue the program year to year, going forward," Ferron-Jones said.
The core of OS X (latest Apple OS) is said to be Berkley Unix. It would be effort... but (depending on the level of POSIX / open systems expertise captured within the product) it could be a reasonable aspiration/expectation.
IMHO,
-R
Thank you, Unclevername.
-R
I think (hope) most have waited. I had been of the mood to vote no to the new shares while maintaining the current board. Now, I am thinking NO to the current way of thinking. I agree with a previous poster that Wave is worth more than 60 mill. The problem is that current mgmnt has no clue how to recognize this value.
OT (a bit): I was ammused by the notion that some presented here that it was somehow normal for a CEO to have a lean placed on their home by the IRS. What!?! Management of one's personal finances (IMHO) can well be considered an indication of how the would manage company finances.
My last (hopefully) rant for the night (I can't promise as I've yet to finish catching up.)
-R
Wait. The eventuality of dilution with this call will bring the price down into the .40's. (I will purchase more at .42 as a speculative play -in hopes that a real company will recognize the latent value, buy and fire the current management.)
AIMOMHO,
-R
The last sentence is a link... Of course the link is broken (thank you Murphy.) I shot them an email and will follow-up when I can get it if it is of possible interest.
-R
From Server-Pipeline newsletter today. (I just got mine.)
http://www.serverpipeline.com/trends/162100668
Editor's Picks
Top Story: The Lowdown On Longhorn
In sessions at last week's WinHEC conference and in interviews with Microsoft officials, CMP Pipeline Editor Scot Finnie got some deep insight into the technical details of the upcoming Longhorn operating system -- including its basis on Windows Server code
<major snip>
Secure Startup And TPM 1.2. One subsystem that is clearly different is NGSCB (Next Generation Secure Computing Base), a hardware-and-software-based security technology that was planned to be a part of Longhorn. Microsoft stopped using that terminology a while back. Instead of NGSCB, Microsoft is now talking about building in support for TPM (Trusted Platform Module). TPM 1.1 is the stuff of "embedded security chips" found in IBM and HP computers. According to partner sources, Microsoft will support TPM 1.2 in Longhorn. Also helping to replace NGSCB is a Longhorn functionality Microsoft calls Secure Startup, which is designed to protect PCs from unauthorized use. For more information about Secure Startup, see Microsoft's Secure Startup - Full Volume Encryption: Technical Overview.
-R
Willem: I believe that you have posted some modestly preseient posts... here you're going over the line. TRULY ANYTHING you get over the internet should be suspect. I'm not suggesting that everything is felonious but, really, a site such as this has to present a good deal of conjecture due to the nature of the topic (SEC regulated securities, computer security, potential --hopefully-- national security, corporate security, etc.)
Alright, JMHO- perhaps you are over invested in (yes it is) a speculative venture. When the SP rises rises back to your entry price (JMHO, but I'm pretty sure that it will) prehaps you should consider a re-allocation of your portfolio.
Based on your posts you seem bright, but not particularly hardened to risk. Is this stock right for you? It may be at 100 dollars 4 years from now... on the other hand it may be at 1 cent. YOU need to do your own research (please contribute findings to iHub) and make YOUR own decisions relative to your risk -v- reward.
All in just my own humble opinion.
-R
Weby-
I like your style. I have resolved to hang tough through 2Q reporting barring what I feel are factual reportings from the company which would be uncomfortably revolting to me. Related to this sight (which I greatly appreciate) I try to recognize the invisible guiding hand of self interest as it presents itself (thank you Adam Smith). The number of national and newer international standards and regulations for computing security beg for Wave's technology.
The rub: I don't fully trust the mgmnt. If it weren't for mgmnt's proposal to further dilute the share I might have been willing to enter "the club". As it stands I am comfortable where I stand and believe that if managment is at all competent in delivering the company's message to potential customers (I feel corporate and government is the most ripe for the next 0-4 years) we will do well.
Ok. I am posting another hissy about the disolution... my prerogative. I hope I may still be invited to LV. Please don't delete me Snackman.
-R
OT- BRUT
Anybody with level two notice the funny flips of BRUT? They are on ask 1 at .74 and 20 seconds later they are on ask 6 at .79 a bit later they go through this gyration again. Who is BRUT and why are they so often at both the bid and ask.
Thanks.
-R
The next station I'm looking to will be May 10(?)- 1Q numbers. A stop which I'm not looking forward to is the addtn'l shares from the SHM... for me, I want to see (or at least hear) where the engineer is taking this train before then.
Jees I can't get over this share thing... it makes my blood boil.
-R
I missed jo's original email
but the response was great! Good on you all of you.
-R
OT- sorry if previously posted.
http://www.microsoft.com/business/executivecircle/content/page.aspx?cID=1221&subcatID=1
This came in my Server Pipeline newsletter today. He discusses the idea of "Trust framework" near the end... (Sure to create a lot of FUD.)
Strategic Imperatives — Security Gets a Business Framework
Terry Sweeney
Security takes on personal and professional hues for Thomas Parenty. He started his own martial arts school in between gigs with the National Security Agency as an encryption expert and starting his own consultancy to advise corporate clientele on smarter security strategies. So he’s got the bona fides to talk about protection of all sorts.
Parenty’s diverse background underscores that. He served as a member of the National Research Council's Board on Assessment of National Institute of Standards and Technology (NIST) Programs, where he reviewed work on the Advanced Encryption Standard (AES) and wireless security. He’s testified before Congress on national security, law enforcement and privacy and has an encryption patent pending. And he worked in the private sector for Sybase.
Parenty’s latest book, Digital Defense: What You Should Know About Protecting Your Company's Assets, was published in September 2003 by the Harvard Business School Press, just before he relocated to Hong Kong. His book demonstrates the misconception that a firewall (or even lots of firewalls), a new algorithm or even some cool new biometrics technology somehow will protect assets and make the bad guys go away. Instead, Parenty argues that any corporate security process that’s going to be effective must be closely tied to the specific business activities and the company’s mission.
--------------------------------------------------------------------------------
Executive Circle: You’re critical of companies that worry more about protecting computers than information. What’s involved in changing the mindset? Is it simply a matter of taking an organization’s strategic objectives and mapping security initiatives to each?
Thomas Parenty: The first step is recognizing that an organization’s strategic objectives and operational requirements should drive security initiatives. The vast majority of security work is done without any real understanding of what an organization does for a living or how it does it. Because the security work is done in isolation from the organization’s real business purpose, you waste money on time and software.
A related problem is that many security technologies are deployed without understanding the threats or effective countermeasures. The result is you don’t protect information the way you need to, and you put barriers in the way of people getting their work done.
Executive Circle: Can you give us an example?
Parenty: Many e-commerce websites store consumer financial information, such as credit card numbers, and they encrypt the credit card numbers so they are protected even if a hacker is able to break through the network and operating system protections. So far, so good. Unfortunately, many of these websites still store the key used to encrypt the credit card numbers in a file on the same computer. If you are concerned about hackers breaking into your computers to steal credit card numbers, you should have the same concern about them stealing the key to decrypt these numbers.
Another example is a multinational chemical company. Several years ago, they went to great lengths to move some of their advanced R&D staff to an off-site facility. They deployed firewalls and a range of other security mechanisms to protect the sensitive formulas stored on the computers there. So far, this is a full credit answer.
Unfortunately, some of the researchers thought that all employees should have access to product formulas, because it might help them in their work. So they bypassed all of the security mechanisms and made the formulas available via the company’s internal Web site. This put the company’s most import trade secrets at great risk without helping anyone to do their work.
This case is unusual because most companies in the chemical, pharmaceutical, make-up and soft-drink industries have a much better appreciation of the value of their information and who needs access to it to do their jobs.
Computer Security is Not Information Security
Executive Circle: What other methods or processes do you encourage corporate planners to consider to proactively use information security to improve their businesses?
Parenty: One simple method is to look at business operations where existing protection measures, often manual, limit flexibility and growth. The use of information security can eliminate or reduce these limits.
Customer self-service is an increasingly common example. Customer service staff performs many security functions, such as authenticating customers, deciding what information they can receive, what operations they can perform and writing down a record of what has happened for future reference.
Performing all of these security activities is necessary, but expensive when done by staff. Companies improve customer retention while reducing costs by allowing customers to securely access their information without having to go through a voicemail call-tree of 12 choices to talk to a customer service representative.
Increased competitiveness from the ability to perform certain business operations more quickly and efficiently with security can make a huge difference. Business-to-business trade exchanges, with the appropriate security, can make the whole supply chain work much more efficiently.
Executive Circle: You consider computer security as distinct from information security. What’s the practical application for IT people?
Parenty: When I say “computer security,” I’m talking about perimeter-oriented and generic protections like anti-virus software and firewalls. These technologies protect a company’s computers and networks in the same way a fenced parking lot and guard can protect a company’s fleet of vehicles. They are necessary measures, but they don’t provide any help in protecting the information these computers process.
Even if anti-virus, intrusion detection, firewalls and honeypots worked perfectly so no virus or hacker ever got in, executives still would have no way to answer questions like, were all the checks cut by accounts payable for the price negotiated? Is employee medical information in human resources confidential? Those protections operate at a generic level and so can not answer these business-specific questions.
The pragmatic lesson is that you should do a good job protecting the perimeter, and then get on with life and focus on being able to answer whether all the electronic funds transfers are valid or if a chemical formula is protected from competitors.
Executive Circle: To ensure that enterprise information is safe from fraudulent use, competitors’ eyes or other unauthorized use, isn’t some focus on technology appropriate?
Parenty: There is a clear need to focus on individual technologies, but there is a danger in focusing on it too early in the security process. One example is the head of a company who approached me to discuss his company’s security issues. He started the conversation with, “What firewall would you recommend?” When I asked what the problem was, he said some employees and business partners were taking corporate information from internal computers.
It was then easy to see that a firewall wasn’t going to help, but that he needed to control and audit access to information. If you assume you need a particular technology, it’s easy to miss the point of what protections you actually need, and you end up with a solution that doesn’t solve your problems.
It can be helpful to group security technologies into four areas:
Confidentiality and privacy of information, which help to create a private online business environment. This includes encryption to protect information while it’s transmitted or stored.
Knowing with whom you are dealing. This means authenticating users and computers using technologies such as smart cards, digital certificates or biometrics.
Controlling who gets access to what. Access control lists, digital rights management, encryption and authentication come into play.
Holding people accountable for what they do, and ensuring that the things you see on the Internet are authentic and came from whom you thought they did. Audit trails and digital signatures help.
Not everyone in an organization needs to have the same level of understanding of these technologies. Just like you don’t have to be an audio expert to buy a stereo, an executive shouldn’t have to know the differences between two different encryption algorithms to make a security purchase decision. IT people should be able to dig down deeply into security technology, as needed. The business problem should drive search for security technology.
Establish the Trust Framework
Executive Circle: You encourage enterprises to think and act around a Trust Framework, which uses information security to provide assurance of safe, proper operation of digital business. Explain how that plays out on a more concrete level.
Parenty: The Trust Framework starts with a given business activity, and identifies the security-related requirements that are necessary for you to feel confident in the success and trustworthiness of this activity. I call these “trust objectives.” You shouldn’t think about technology at this stage.
Consider a company that wants to expand its office supply business into a business-to-business (B2B) portal for indirect goods. Some of the trust objectives for its current business are authenticating all buyers and sellers, keeping certain pricing information confidential, and maintaining a record of transactions for billing and dispute resolution. These trust objectives still hold true for the B2B portal, but many of the protection mechanisms used to meet these objectives in the physical world disappear in the move online. For example, much of the face-to-face and telephone contact that helped insure the trustworthiness of business transactions is gone.
I look at security technology as part of the “trust evidence” you need to meet your trust objectives in the digital world. For example, authenticating buying and selling organizations within a portal requires an initial registration process that could be in part manual as well as security technologies, such as passwords or digital certificates that will be used on an ongoing basis. Encryption replaces FedEx for protecting sensitive business documents.
By establishing trust objectives, you have a statement of what security means in a specific business context, which is increasingly important for corporate governance. Saying you thought your information was safe is no better a defense than saying you thought the company books were OK. A clear statement of trust objectives and the trust evidence you’ve used to meet these objectives lets employees, directors, stockholders and regulators decide if that’s good enough. Having 25,000 firewalls says nothing about how safe it is to do business with you other than you’ve made your firewall vendor incredibly happy and rich.
Breaking out of the Mold
Executive Circle: IT sometimes gets stuck in a particular pattern of thinking. How do you encourage enterprises to rise above their own limitations with regard to security implementations or guiding philosophies?
Parenty: A perception among many non-IT business folks is that information security is too complex to understand so it’s not worth trying to understand it. That perception is wrong and dangerous, because the people responsible for the success of the business have washed their hands of its decision-making.
Yes, the CIO needs to be more business-like and less technology-minded. But the people who make security technology selections are often much lower down the food chain within the IT department. If they don’t have a business focus, the IT department will come up with a technology solution that doesn’t fit the organization, because they didn’t know better. They will end up spending a whole bunch of money and creating a lot of resentment.
There are two keys to success. The first is for non-IT management to step up to their responsibility to make security decisions. The second is for IT staff to keep in mind the business problem they are trying to solve and not just the security technology they use.
Terry Sweeney is a Los Angeles–based writer and editor who has covered telecommunications, networking and the Internet for more than 20 years.
Forest for the Trees...
Man, it seems everyone is hung up about being gold, silver, platinum, bronze or stainless. People are looking into the details of a staw-man. What is its (longhorn's) shape? It looks like Wave although there is a VERY dense fog. MS has left the door open... perhaps for Wave to enter. It is management's job to cross the threshhold. As I have said before (IMO) it will require subsantive demonstration of acceptance before anything can happen with Wave's SP. (<-that's a period.) I am disappointed that Wave hasn't yet produced anything from winhec but I will wait until 1Q is published to consider the implications. I am neither a priest nor a peasant (certainly not a prophet) but I truly believe in the potential of Wave's technology. (Another parenthetical comment... I am still seething of the umbrage over the gall to propose a dissolution of shares. Another topic I hope to address after 1Q earnings are published.)
Good night, good day, good luck.
-R
The Logo requirements draft 0.51 version 3.0 and Ms use of "if implemented" makes sense (to me at least).
http://download.microsoft.com/download/9/1/3/913ff560-d050-43a3-b17c-7e9deef415e4/WLPDraft051.doc
From the above document (major snip above and below):
"If Implemented": Additional Requirements
The logo program requirements address only a subset of the features or technologies in the PC ecosystem. Implementing such additional capabilities can offer a competitive edge for manufacturers. If a capability that is not part of the program requirements is implemented in a system or device, however, additional requirements might be defined for that capability to assure that the implementation on the device works well with Windows. Because these additional requirements apply only if the relevant capability is implemented, they are referred to as “if implemented” requirements.
If an optional feature is not implemented correctly, as defined in this document, Microsoft will not license the Windows Longhorn Logo for the device.
Similarly, if a device supports functionality that is not required for its compliance level, any Windows Longhorn Logo Program requirements associated with that functionality must still be met. For example, if an audio device that supports UAA is being tested for the Signature level, the device and driver must meet all UAA requirements, even though these requirements are not labeled as "if implemented" for the Signature level.
For example, CardBus support is not required for any system. The related requirements are labeled as "If implemented" in this document. No additional signature or compliance-level logo is associated with optional and "if implemented" features for CardBus. However, if CardBus support is implemented, the specific capabilities defined in this document must be implemented to ensure that CardBus components work well with Windows.
Sola fide,
-R