Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
xxxx -That's the quick reference guide for $3.
SI Inernational: Maybe not so OT:
NORTHROP GRUMMAN NEWS RELEASE
Northrop Grumman Wins U.S. Air Force Network Centric Solutions Contract
HERNDON, Va., Sept. 13, 2004 -- The U.S. Air Force has awarded Northrop Grumman Corporation (NYSE: NOC) and seven additional contractors a five-year indefinite delivery/indefinite quantity (ID/IQ) contract to provide information technology products and services for the Air Force's Network Centric Solutions (NETCENTS) program. The overall ceiling of this ID/IQ contract is $9 billion.
Northrop Grumman's Information Technology (IT) sector will compete for task orders that will include network engineering, software development, IT infrastructure modernization, integration, and sustainment, information storage and management, security and telephone services, and voice, video, and data communications products.
"We have built our NETCENTS team around our experience serving the Air Force on the Unified Local Area Network Architecture and Combat Information Transport programs, and our first-class team of partners offers unmatched capability to help the Air Force with its mission requirements, said James O'Neill, president of Northrop Grumman IT. "We look forward to assisting the Air Force with modernizing their infrastructure as they move toward more network-centric solutions."
Work on the contract will be performed at all permanent Air Force locations as well as the expeditionary Air Force requirements on a global basis.
"Northrop Grumman, as a company, has extended global reach and depth of capability," adds O'Neill. "This translates into lower risk and reduced cost for the government, plus the ability to undertake complex tasks with global coverage. We have the team that can lead the Air Force to future technology with industry leaders in such areas as voice-over-internet protocol."
Northrop Grumman announced its NETCENTS team on Aug. 10, and includes 10 big business partners and 24 small-business partners. The company's big-business partners include: Computer Sciences Corporation, El Segundo, Calif.; SAIC, San Diego; BearingPoint Inc. and RS Information Systems, Inc., McLean, Va.; Siemens AG, Munich, Germany; T-Systems, Frankfurt, Germany; Verizon Communications and AT&T, New York, N.Y.; Dell Inc., Round Rock, Texas; and SI International, Inc., Reston, Va.
Northrop Grumman Information Technology, headquartered in Herndon, Va., is a trusted IT leader and premier provider of advanced IT solutions, engineering and business services for government and commercial clients. The company's technological leadership spans such areas as homeland security solutions, secure wireless, cyber and physical assurance, IT and network infrastructure, managed services, knowledge management, modeling and simulation, and geospatial intelligence solutions.
CONTACT:
Juli Ballesteros, APR
(703) 713-4675
-R
OT: Government IT Work Boosts SI International's Fourth-Quarter Revenue And Profit - I know these guys attend alot of the same conferences as Wave... (hmmm). I googled Wave with SI and pulled alot of common conferences/seminars but nothing indicating direct contact.
-R
http://www.outsourcingpipeline.com/news/60401278
February 15, 2005
Government IT Work Boosts SI International's Fourth-Quarter Revenue And Profit
By Eric Chabrow Courtesy of InformationWeek
Performing IT chores for the federal government is paying off big for integrator SI International Inc., which Monday reported that net income in the fourth quarter ended Dec. 25 increased 28% to $3.0 million, or 26 cents a share, from the same period a year earlier. Revenue for the past quarter increased 58% to $69.6 million.
For the year, revenue increased 56% to $262.3 million, as net income rose 47% to $10.9 million, or $1.14 a share, from 2003.
SI expects revenue growth will continue this year, rising between 10% and 15%, the company said.
In a statement, CEO Ray Oleson credited SI's record performance with the company's focus on bidding for contracts that involve homeland security, military transformation, and information sharing between government agencies and operations.
The projects SI worked on in 2004 included developing and deploying biometric-based smart identification cards to support coalition forces in Iraq; designing learning management and learning content management systems for the Defense Ammunition Center; building and deploying a web-based system to track international imports and exports and interstate movement of live animals and animal products; and deploying Microsoft SharePoint applications for use by more than 650,000 government workers
RE The CNN ad link: from the "Why Dell Lattitude" link the TPM is the first highlight under SMARTER... (This pitch is that SMARTER, FASTER, STRONGER are are the reasons to pick the lattitude series.) Makes my day already (and I just got started.)
Here is the text from the "what is TPM" link. (This is on a panel right nest to the WAVE ETS panel previously posted.)
http://www1.us.dell.com/content/topics/global.aspx/solutions/en/latitude_highlight?c=us&l=en&...
<paste>
What is TPM? The TPM, or Trusted Platform Module, is a security hardware device on the system board that will hold computer generated keys for encryption. It is a hardware based solution that can help avoid attacks by hackers looking to capture passwords and encryption keys to sensitive data.
The security features provided by the TPM are internally supported by the following cryptographic capabilities of each TPM: hashing, random number generation, asymmetric key generation, and asymmetric encryption/decryption. Each individual TPM on each individual computer system has a unique signature initialized during the silicon manufacturing process that further enhances its trust/security effectiveness. Each individual TPM must have an Owner before it is useful as a security device.
--------------------------------------------------------------------------------
TPM Applications TPM is useful for any customer that is interested in providing an addition layer of security to the computer system. The TPM, when bundled with an optional security software package, can provide overall system security, file protection capabilities and protect against email /privacy concerns. TPM helps provide security that can be stronger than that contained in the system BIOS, operating system, or any non-TPM application.
--------------------------------------------------------------------------------
Which Dell systems support TPM? The TPM 1.1b security hardware device comes standard on the following LatitudeTM notebook systems: Latitude D410, D610, D810 and Dell Precision Mobile Workstations M20, M70. Dell recommends the use of Microsoft® Windows® XP Professional XP Professional operating system with TPM which includes advanced security, mobility and networking features. TPM is currently not supported by Dell on Red Hat® Linux® operating systems.
<end paste>
Buffetguy: as in Sperry/Unisys?
Eamonshute- THANK YOU!
Two points I immediately take from the story are 1) "I don't think we were the only state affected," said Kott, who led the Legislature's Information Technology subcommittee last year.
and 2) "If it's sizable, multimillion dollar upgrades, which I'm guessing it's going to be, then we have to take a serious look at it," Kott said. "I don't think we have any choice but to take care of the problem."
Eight days later a new marshal is coming to town?
Eamonshute- You may have posted the right story. But I just can veiw it. I noticed the message numbers were different in the link you provided and what was presented to me. Thanks.
Thanks but no. It was a post from an Alaskan newspaper (cut and paste) with a link to the original story. I'm 90 percent certain I posted it within the last two weeks (99% within the last month.) I just can't use the search function on the board (b/c I'm too cheap.)
-R
Alaska government systems were hacked several months ago. The story finally broke a week or two ago... I posted it. Unfortunately I cannot search for my post to provide the link to the original story (and to refresh my memory). If a premium member would do this I would very much appreciate it. As I recall the FBI was, of course, deeply involved.
-R
Greenspan was just talking about the incredible new security technologies being developed (heard it on CNBC). I think he's at a congressional hearing, although I'm not sure.
Trusted Computing and Waves role is difficult to grok. I don't think many people have/can. Given Wave's history (all the ups, downs, false starts, stumbles -whatever) people are waiting for something tangible (revenue). We'll see. Sola Fide.
It will all be about revenues... Chill. If we had a (what I would consider minor) run to $2-$5 it would satisfy those who are along for the ride. I and and (I believe many) others are here to reach the destination. IMHO: wavx is very much a show-me stock. Use your best judgement, pay your money and take your chances. The path (one way or the other) will be clear by the end of the summer.
-R
Just my blindly ignorant opinion. (Although I believe I am nearing the point of a lucid ignorance.)
Thanks monn,
This led me to do a new search on HP's site (it's been a weeks or more) and I found a bunch of stuff I hadn't found seen before. Great stuff!
-Richard
http://h18004.www1.hp.com/products/security/partners.html
HP ProtectTools ISV solutions
As part of an ongoing effort to strengthen PC security, HP trusted computing notebooks, desktops, and workstations are offering new applications that together deliver enterprise-grade IT security solutions. Trusted computing platforms from HP feature the TPM embedded security chip and software that enable better security for many applications and security solutions on the market today. This security feature is being validated with a growing number of third party security software solutions. HP enables trusted computing security solutions that deliver greater value and trouble-free deployment with leading third-party software solutions, to provide the enterprise with end-to-end security today and in the future. The TPM Embedded Security Chip is offered on a number of HP business notebooks, desktops and workstations. Refer to www.hp.com for product specific information.
RSA Security
TPM Embedded Security Chip enabled PCs, based on open Trusted Computing Group architecture, have been certified under the RSA Secured® Partner Program. Specifically, TPM Embedded Security for HP ProtectTools has been designed to enhance the RSA SecurID® solution enabling customers to use an RSA software token with their RSA SecurID infrastructure. By using the TPM Embedded Security Chip, customers are no longer limited to RSA hardware token - a credit card sized device that generates one-time use passwords - and are rather able to use the software version. The combination of these complimentary solutions from HP and RSA Security generates real benefits in term of reduced deployment complexity and cost for many types of users without compromising overall security of the RSA SecurID solution Learn more about Embedded Security for HP ProtectTools integration with RSA products.
With a 20-year history of outstanding performance and innovation, RSA Security's authentication solutions remain an industry standard for companies looking to protect their mission-critical data assets and enable e-business applications by ensuring the authenticity of people, devices and transactions. RSA Security offers enterprises a wide range of authentication options including:
Software and hardware tokens
Smart cards
Digital certificates
To help to positively identify users and devices before they interact with mission-critical data and applications through:
VPNs
Email
Intranets
Extranets
Web servers
Other network resources
With more than 12,000 customers around the globe, RSA Security provides interoperable solutions for establishing online identities, access rights and privileges for people, applications and devices. Built to work seamlessly and transparently in complex environments, the company's comprehensive portfolio of identity and access management solutions -- including authentication, Web access management and developer solutions -- is designed to allow customers to confidently exploit new technologies for competitive advantage. RSA Security's strong reputation is built on its history of ingenuity and leadership, proven technologies and long-standing relationships with more than 1,000 technology partners.
Wave
When used in conjunction with Wave Systems' EMBASSY® Trust Suite, the HP ProtectTools Embedded Security solution enables more secure and seamless file storage and business transactions. The combined solution from Wave Systems and HP provides customers with stronger PC security that is easy to administer and use, by IT staff and end-users alike.
Wave Systems' Document Manager uses the Trusted Platform Module (TPM) of HP ProtectTools Embedded Security to provide secure storage and management capabilities for file, folder and drive-level encryption, enhancing the native functionality of HP's solution. This solution easily integrates file encryption into Microsoft Office applications and Microsoft Windows Explorer.
Additionally, HP ProtectTools Embedded Security is enhanced by Wave Systems' e-SIGN Transaction Management (eTM) SuiteTM, which ensures the integrity of digitally signed contracts. The eTM suite of services, with SmartSignature® and SmartSAFETM, offers a complete web-based digital signing and document storage solution including digital document creation, digital signatures, and document management and retention. Combining the functionalities of HP ProtectTools Embedded Security and the eTM Suite enables customers to electronically sign and store legally binding documents. For more information about how to take advantage of these Wave Systems solutions, click here
Wave Systems, a leader in the development of infrastructure and services that enable the deployment and management of trusted computing platforms, is headquartered in Lee, MA, with development centers around the U.S. and in France.
» Return to original page
Privacy statement Using this site means you accept its terms Feedback to [site name]
© 2005 Hewlett-Packard Development Company, L.P.
Sounds like the military needs trusted computing.
http://www.fcw.com/fcw/articles/2005/0117/web-wolf-01-21-05.asp
DOD fights 'Net
ADVERTISEMENT
RELATED LINKS
"Army rebuilds networks after hack attack" [FCW.com, Sept. 6, 2004]
BY Frank Tiboni
Published on Jan. 21, 2005
More Related Links
The second-highest public official at the Pentagon considers computer security so important to military operations that he sent a memo last year to department leaders telling them they must "Fight the Net."
"Protection of DOD computer network systems is a key priority. Leaders at every echelon must be personally involved in the defense and protection of our computer networks," said Deputy Defense Department Secretary Paul Wolfowitz in the memo, "DOD Network Defense."
The Pentagon's top information assurance official said Wolfowitz issued the memorandum because he wants all department personnel who use a computer to take a personal responsibility in protecting the Global Information Grid, the network of DOD business and war-fighting systems. "Everybody must understand the importance of practicing good computer security," said Robert Lentz, director of information assurance in the Office of the Assistant Secretary of Defense for Networks and Information Integration and Chief Information Officer.
Wolfowitz offered five tips to improve computer security department-wide:
Employ information assurance best practices for proper network configurations.
Use accepted password management practices.
Minimize access privileges through need-to-know criteria.
Increase awareness of cross-domain file transfer security procedures.
Eliminate unauthorized use of readily exploitable software such as peer-to-peer file sharing and remote access applications.
In the two-page memo dated Aug. 15, he acknowledged the hacking of military systems. "Recent exploits have reduced operational capabilities on our networks," Wolfowitz said. "Failure to secure our networks will weaken our war-fighting ability and potentially put lives at risk."
He cited poor network management and vigilance as the culprit. "While great strides have been made in a number of areas, we continue to be negatively impacted when deficiencies in our information systems are successfully exploited," Wolfowitz said. "In most cases, proper vulnerability management would have prevented this."
Lentz declined comment on the hackings mentioned in the memo citing operational concerns. "Take it [the memo] at face value," he said.
Maybe that was the bump in December?
Alaska Hacked.
http://www.adn.com/front/story/6140359p-6022520c.html
Hackers target state's computer network
COMPUTERS: Federal agencies investigate but aren't commenting.
By SEAN COCKERHAM
Anchorage Daily News
Published: February 10th, 2005
Last Modified: February 10th, 2005 at 05:38 AM
JUNEAU -- The FBI is looking into a recent rash of cyberattacks that hit the state's computer network.
"We are aware of it and it is a pending investigation so there is really very little I can say about it," FBI spokesman Eric Gonzalez said.
Rep. Pete Kott, R-Eagle River, said a federal task force came to Alaska as part of the investigation. Kott said he believes the CIA and the Department of Homeland Security are also involved.
Kott said he was briefed on the situation by state officials.
"Anytime you've got the feds up in Alaska it's got to be a serious issue," Kott said. "The White House has been briefed on this."
He said the federal team came to Anchorage about two weeks ago and took piles of data back to Washington, D.C., to analyze.
Kott said the January attacks appear to have originated in Brazil, although hackers can disguise where their attacks are coming from. He said he was told there was a security breach, but it was unclear how widespread it was or which agencies were involved.
"I don't think we were the only state affected," said Kott, who led the Legislature's Information Technology subcommittee last year.
The Alaska Department of Administration, which oversees the state computer network, refused to answer questions about the investigation.
"We have no response, no comment," department spokesman Joe Holbert said.
Kott said the department was slow in letting the Legislature know about the problem. He said his office got wind of it and had to call state officials and ask what was going on.
"They were shocked that we even knew about it," Kott said Wednesday.
Stan Herrera, the state's director of enterprise technology services, said Tuesday that he was unaware of an FBI investigation.
Herrera told the Daily News in late January that the state was looking into increased activity of cyberattacks on the state network that month. He described it as "denial of service" attacks that made computers unresponsive. He said he could provide no estimate on the breadth of the attack because it was still being analyzed. But he said there was no indication sensitive material was stolen from state computers.
The state's computer network contains credit card numbers and other personal information that could be used for identity theft. Kott said there could also be "widespread havoc" if a hacker were to penetrate the Permanent Fund dividend division.
The division director, Sharon Barton, said in an interview that there was no evidence of that. The Alaska Permanent Fund Corp., which handles the billions of dollars in fund investments, is not on the state network and officials said it was not breached. Fund technology director Marshal Kendziorek said he checked the logs closely when the state network was attacked.
"We are extremely security conscious here, much more so than other places," Kendziorek said. "We've seen no intrusions."
For the past decade, Kott said, officials have likely not given enough attention to beefing up the security of the state computer network.
Kott said the Murkowski administration has moved, though, to review the system and to "basically come up with a better mousetrap."
He said it's not a high priority among members of the Legislature.
"Nobody understands computers. They know how to turn them on, turn them off, and to get onto the Internet," Kott said.
Kott said planned security upgrades were speeded up after the January cyberattacks, although more will likely be needed.
He said he expects the investigators to make recommendations.
"If it's sizable, multimillion dollar upgrades, which I'm guessing it's going to be, then we have to take a serious look at it," Kott said. "I don't think we have any choice but to take care of the problem."
Daily News Reporter Sean Cockerham can be reached in Juneau at scockerham@adn.com or 1-907-586-1531.
The table "Regulations at a Glance" is a presentation in the original document showing the regulation, mandating organization, security requirements, affected companies, and deadline. Unfortunately it didn't transfer very well (lost all its formatting). Quite a world of opportunity!
-Richard
RSA whitepaper (partnered with Accenture) on "Identity and Access Management"
http://www.itbusinessedge.com/offer.aspx?o=00560001KR
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
Companies today face a growing number of regulations that have broad
implications for information security. Governments worldwide are mandating
the protection of information, whether it’s to safeguard consumer privacy for
health and financial records, ensure data quality in the production of drugs
or re-establish trust in financial reporting systems.
What these laws have in common are requirements for ensuring that only
authorized users gain access to information and the ability to control and
examine user activity. Implementing an Identity and Access Management
(I&AM) solution is an effective way to address the requirements of these
regulations and build a unified compliance strategy.
This white paper has been developed by RSA Security in conjunction with our
strategic partner, Accenture, as a resource for organizations to help them
understand the requirements of a wide spectrum of the regulations and
implement an I&AM solution that will address many of the key provisions.
Although each of the regulations has specific deadlines, it is well understood
that compliance is an on-going effort since the implementation of controls to
protect information is not a one-time project, but rather a continual,
dynamic process as an organization’s operations and environment changes
and technologies advance. This white paper is intended to help organizations
implement an I&AM solution that will not only meet the on-going demands
of complying with these regulations but also key business objectives.
Implementing Identity and Access
Management for Regulatory Compliance
WHITE PAPER
WHITE PAPER
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
TABLE OF CONTENTS
RSA SECURITY AND ACCENTURE
I. THE COMPLIANCE CHALLENGE
II. COMMON THREADS ACROSS
REGULATIONS
Best practices in Information
Security (sidebar)
III. SOLVING THE COMPLIANCE
CHALLENGE WITH IAM
Primary Components
of an I&AM Solution
Success Factors for
Implementing I&AM
I&AM Solution Principles (sidebar)
TABLE: REGULATIONS AT A GLANCE
APPENDIX: OVERVIEW OF EACH
REGULATION
Sarbanes Oxley (SOX)
Gramm-Leach-Bliley (GLB)
HIPAA
21 CFR Part 11
Annex 11 Computerized Systems
European Data Protection
Directive
Basel II
Japanese Data Protection Directive
TABLE: RSA SECURITY’S I&AM
SOLUTION AND REGULATORY
COMPLIANCE
ABOUT RSA SECURITY
ABOUT ACCENTURE
PAGE 1
PAGE 1
PAGE 1
PAGE 2
PAGE 3
PAGE 3
PAGE 4
PAGE 4
PAGE 5
PAGE 6
PAGE 6
PAGE 6
PAGE 6
PAGE 7
PAGE 7
PAGE 7
PAGE 8
PAGE 8
PAGE 9
PAGE 10
PAGE 10
RSA SECURITY AND ACCENTURE
RSA Security has over 20 years of experience in information
security and is renowned for leading industry initiatives in
standards and research. Our technology can provide a solid
technical infrastructure that covers a broad range of the
requirements yet offers the flexibility and scalability to
meet an organization’s needs as their environment
changes. As such, organizations worldwide are turning to
RSA Security to help them with their compliance efforts.
As a global management consulting company, Accenture
has deep industry and business process expertise, broad
global resources and a proven track record for helping
organizations to comply with regulations. Accenture’s
approach is consistent with the expectations of the
regulations which call for not only technical measures for
protecting information but also administrative measures
such as policy, procedures and training of personnel. The
I&AM framework that Accenture has developed involves
the implementation of key technologies, the
transformation of processes and alignment with the people
in the organization.
RSA Security and Accenture share a common philosophy
in helping organizations achieve regulatory compliance by
seeing it as an opportunity to improve operations; maintain
the trust of customers and partners; and become more
competitive.
I . THE COMPLIANCE CHALLENGE
Over the last several years, nations throughout the world
have enacted regulations which have major implications
for information technology (IT) and security professionals.
Information security has moved from being good practice
to being the law.
Many regulations were put in place to establish standards
for protecting data while promoting automation and ecommerce.
Regulations such as Gramm-Leach-Bliley (GLB)
and the Health Insurance Portability and Accountability Act
(HIPAA) in the United States, or the European and Japanese
Data Protection Directives were enacted as a result of
increasing concerns over privacy and identity theft. 21 CFR
Part 11 in the U.S. and Annex 11 in Europe are meant to
protect patient safety by ensuring the quality of data used
in developing and producing drugs. Sarbanes-Oxley (SOX)
in the U.S. was in response to specific problems with the
financial reporting system and several high profile fraud
cases. The intent of Basel II is to better align bank’s capital
requirements with underlying risk.
1
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
All of these regulations carry penalties and some even carry
prison terms for violations. Moreover, non-compliance could
destroy a company’s brand reputation and even set the
stage for civil litigation.
Organizations globally are finding that complying with
these regulations is a formidable challenge. Mandates
are couched in ambiguous legal language, making
interpretation difficult. What’s more, most companies are
subject to several regulations. For example, a U.S.
investment bank with operations in Europe could be subject
to GLB, SOX and the European Data Protection Directive. A
global pharmaceutical company headquartered in the
Europe but with international sales could be affected by 21
CFR Part 11, Annex 11, HIPAA and Europe’s privacy laws.
And the list of regulations continues to grow. In the
wake of highly publicized security failures, privacy abuses
and corporate scandals, there is intense pressure on
governments in the U.S. and internationally to pass yet
more laws and regulations. For example, India is writing
privacy and security legislation in response to the needs of
outsourcing customers in highly regulated countries and
industries.
As well, organizations must implement a compliance
strategy in the context of their other business objectives—
such as reducing costs, improving customer service and
increasing revenue. Most will need to ensure compliance
in an environment that is constantly changing, as more
users and applications are added. Adding to the challenge
is that fact that applications and processes are increasingly
outsourced and information is increasingly exchanged with
external partners.
I I . COMMON THREADS ACROSS REGULATIONS
The many regulations that mandate the protection of
information were enacted for various reasons, are industryspecific
in some cases and apply to a geographic region in
other cases, however there are common threads that run
across all of these regulations.
For example, they all require that organizations implement
controls to allow only authorized users to gain access to
information, control what users do, monitor and track their
activities and make them accountable for their actions.
In other words, some of the central requirements are
authentication, access controls and audit controls—the
essence of I&AM.
Other common threads include requiring organizations to
conduct a risk analysis and develop and enforce a security
policy. Many of the regulations share similar language,
often referring to the need for “reasonable and appropriate”
controls which is commonly interpreted to mean
best practices. Organizations can turn to several sources for
information on best practices such as peers, standards
bodies, industry associations, or security experts and
consultants. Some examples of best practices are presented
in the box below.
A summary of information on the regulations and their
requirements is provided in a table on page 5. For more
extensive information on each of the regulations, see the
appendix on page 6.
I I I . SOLVING THE COMPLIANCE
CHALLENGE WITH IAM
I&AM helps to solve the challenges of compliance because it
provides an effective way to address some of the central
requirements of many of the regulations. It helps organizations
to build a unified, comprehensive strategy for
compliance based on best practices in information security.
I&AM can be defined as, “the people, processes and
technologies dedicated to creating, managing and revoking
digital identities, as well as developing and enforcing
policies governing authentication and access to information
systems both inside and outside the enterprise.”
2
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
BEST PRACTICES IN INFORMATION SECURITY
Regulations generally expect organizations to
conduct a risk analysis and implement information
security measures based on best practices. The
following are some examples of best practices in
information security using I&AM and related
technology to support regulatory requirements:
Strong authentication is a best practice that
reduces the risk of unauthorized access to systems
and networks by requiring users to present strong
proof of identity, specifically by using multiple
factors. For example, two-factor authentication
combines something the user knows (such as a PIN)
with something the user has (such as a token).
Strong authentication is considered necessary
especially for remote access environments where
there are no physical access controls to ensure the
validity of the user. Inside corporate networks,
strong authentication may also be recommended
to protect highly sensitive data or to safeguard
single sign-on access, where one logon provides
the user with access to multiple applications.
Centralized access control is a best practice for
consistently assigning user privileges and enforcing
security policies across multiple applications. Some
regulations require organizations to implement
appropriate controls over user access to sensitive
data, such as a consumer’s health or financial
information. Centralized access control can be used
to enforce access rights based on diverse criteria,
such as job role, security clearance and business
rules. For example, centralized access control can
help ensure that a terminated employee’s
privileges are revoked for all applications in a
timely way.
Encryption makes sensitive information unreadable
except by authorized users who have the means to
decrypt the data. Encryption is a best practice for
shielding data from “eavesdropping” as it is
transmitted across a network or the Internet.
Increasingly, it is also used to protect databases
containing confidential information, thus making
them less vulnerable to network attacks.
Digital signatures can help to ensure the integrity
of data, online communications and transactions
by providing assurance that data has not been
altered from the original, especially during
transmission. Digital signatures also support nonrepudiation
with the ability to prove the identity
of the signer.
Audit controls are an essential element of virtually
all regulatory requirements. Diverse laws and
regulations demand that the enterprise establish
accountability for each user’s online activities.
Centralized logging is considered a best practice
for tracking and monitoring user activity across
multiple applications, to ensure effective
implementations of audit controls.
3
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
More than a simple product implementation, I&AM is an
approach to managing users and protected resources in a
way that maximizes business opportunity. The optimum
approach involves the people, process and the technology
for creating usable identities and enforcing the policies
behind the use of identities.
Regulations largely outline the required services that can be
provided as identity management-ensuring the user is who
they claim to be-and access management-determining which
applications, information or resources a user can access.
An I&AM solution is based on developing centralized
capabilities for establishing and managing digital identities,
which consist of attributes such as name, phone number,
job code, etc. It is also based on developing centralized
capabilities for access control, which takes business rules
and security profiles into consideration to establish and
enforce policy around which users are granted the privilege
to access which resources.
With a single I&AM framework, organizations can address
the requirements for complying with multiple regulations.
For example, an investment bank with operations in U.S.
and Europe can implement a single methodology and set of
technologies for information security that enables
compliance with U.S. and European Union privacy laws.
Diverse global regulations will require a centralized, policy
driven model with local flexibility.
It is important to note however, I&AM is just part of an
overall solution for regulatory compliance. At the same
time, organizations will need to meet other security-related
requirements such as ensuring data integrity and
confidentiality.
An I&AM solution provides the foundation for helping
organizations to not only comply with regulations, but also
to manage their businesses with a degree of flexibility,
responsiveness, security and economy that is unattainable
with today’s fragmented approaches to managing user
identities.
Primary Components of an I&AM Solution
An I&AM solution enables organizations to manage on-line
identities and control access to resources. A complete
identity and access management strategy encompasses six
tactical areas: provisioning of user identities and
permissions; comprehensive user management capabilities;
authentication; access management; federated identity
management; and secured, centralized data stores to
maintain the required policies and profiles. All these
components should work together as an efficient,
intelligent system.
Provisioning provides automated capabilities for activating
user accounts and establishing access privileges for those
accounts across the entire enterprise. So, for example, if
one company has acquired another, provisioning makes it
possible to automate the process of “turning on” the
acquired employees’ access to all of the parent
organization’s relevant accounts—e.g., e-mail, HR, desktop
applications and the ERP system. Provisioning also helps
ensure timely and complete deactivation of accounts, such
as when an employee has left the organization.
User management provides automated tools for updating
user profile information in specific applications. Key
capabilities include delegated administration, approval
workflow, user self-service and synchronization with the
user data store.
Strong authentication enhances trust in network, intranet,
extranet and portal environments by requiring users to
present conclusive proof of identity before being granted
access to sensitive data and processes. This high level of
protection is especially important for remote and web
access—where there are no physical controls present; and in
single sign-on environments—where a user’s identity
unlocks multiple resources.
Access management capabilities allow an organization to
assign and enforce user access rights to diverse resources
across intranets, extranets, portals and exchanges. User
privileges can be defined at a very granular level, based on
a combination of user roles and attributes, and business
rules and security policies. Fine-grained authorization
protects not only access to applications but can also control
what users see and do once they have access to
applications. Administrators can grant or deny access to
specific transactions, limiting not only the resources
available to users but also the functions they are able to
perform within a given application.
Federated identity management overcomes the challenges
of a collaborative business environment. It enables
organizations to share trusted identities across the
boundaries of the corporate network—with outsourced
service providers, supply chain partners, autonomous
business units, etc. Users get secure single sign-on across
multiple systems for streamlined information access.
Federated identity management increases an organization’s
control over users’ identity information and facilitates
enforcement of security policy across multiple partners.
The user data store (directory or database) is an enterprise’s
authoritative source of user data. It typically draws pieces
of data from multiple applications and pushes updated
data back to those sources—including other identity
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
management solution components—ensuring the timeliness
and consistency of user data across the enterprise.
Success Factors for Implementing I&AM
Although technology is an essential part of an I&AM
solution, companies need to understand the
transformational nature of the processes that protect
information and align the solution with the people in the
organization to ensure success.
For example, where possible, existing manual business
processes that support the management of identities
should be automated and IT processes should be simplified
or distributed to the business owners. To align people with
the I&AM solution, certain measures should be put in place
such as enforcing a permissions model for accessing
resources. As well, procedures should support responsibility
changes and organizational changes within the entity so
the organization can evolve security privileges dynamically.
A successful I&AM implementation to meet regulatory
compliance requires a strategic vision coupled with strong
knowledge of the business and application environments.
Companies must understand the principles defined by the
relevant regulations and consider the strategic nature of
I&AM and its impact on the organization. This requires the
ability to focus on processes and people as well as
technology so the enterprise can define explicit security
policies that drive the definitions of rules and work flows.
Organizations should invest in defining a comprehensive
and workable role and entitlements model.
Other key factors for success are attaining strong upper
management support and buy-in by all those impacted by
the process re-engineering. Developers should get on board
early on for integration with consolidated authentication,
authorization and identity services. A comprehensive
change management and communication plan should be
put in place. And organizations should follow a phased
approach for the integration of target systems and to
support different types of users.
The ability to integrate I&AM with an organization’s
heterogeneous systems and applications is crucial, and
companies also require the regulatory expertise and
professional services that can help them integrate manual
and automated processes for protecting identities
enterprise-wide and documenting compliance with
relevant regulations.
I&AM SOLUTION PRINCIPLES
The following are some of the high-level
principles that companies should consider when
implementing an I&AM solution to support
compliance requirements.
Deploy an enterprise-wide unified identity
management solution supporting all user types,
all IT domains and all modes of administration
(centralized, delegated and self-help) through a
phased delivery plan.
Automate the administration of the maximum
number of tasks
Incrementally integrate the target systems and
applications into the solution, thus minimizing
the need for separate administrations
Link with master sources of identity information
and propagate changes automatically
Provide all user- and administrator-facing
identity management services over a web
interface for access ubiquity
Support centralized control of access policies
and extensive central auditing and reporting of
all administrative events
Support workflows for managing the approval
of access rights
Deliver the solution via market-proven software
packages, minimizing in-house development.
5
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
Sarbanes-Oxley (SOX) U.S. Securities and Exchange
Commission (SEC)
CobiT framework—
Authentication, access controls,
user account management,
credential life cycle
management, non-repudiation
and audit controls
Companies publicly
traded on U.S.
exchanges
November 2004
Gramm-Leach-Bliley (GLB) U.S. Office of the Comptroller of
the Currency (OCC)
Authentication, access controls,
encryption, data integrity
controls and audit controls
All financial
institutions regulated
by the OCC
July 2001
HIPAA1 Security U.S. Department of Health and
Human Services (DHHS)
Authentication, access controls,
transmission security, audit
controls and data integrity
Healthcare
organizations
in the U.S.
April 2005
21 CFR Part 11 U.S. Food and Drug
Administration (FDA)
Authentication, access controls,
data integrity controls, audit
controls, encryption and digital
signatures
Companies regulated
by FDA (i.e.
pharmaceuticals)
Final Guidance
August 2003
(original
deadline was
1997)
Annex 11 Computerized Systems European Union (E.U.) Access control; credential life
cycle management; logging
unauthorized attempts;
recording identity of operators;
and audit trails
All organizations
producing medicinal
products in the E.U.
Varies by
country
European Data Protection
Directive
European Union (E.U.) Measures to protect personal
data against accidental or
unlawful destruction or
accidental loss, alteration,
unauthorized disclosure or access
Companies
conducting business
in E.U. member
nations
1997-2002
(varies by
country)
Basel II Basel Committee on Banking
Supervision
FFIEC framework—Access rights
administration, authentication,
network access, operating
system access, application access,
remote access, logging and data
collection
Global financial
service organizations
including
internationally active
banks
2006
Japanese Data Protection
Directive
Japanese Government Safe-keep personal data against
loss, system failure and leakage,
i.e. unauthorized disclosures
Japanese private
businesses
May 2005
REGULATION MANDATING
ORGANIZATION
SECURITY
REQUIREMENTS
AFFECTED
COMPANIES
DEADLINE
REGULATIONS AT A GLANCE
1Healthcare Insurance Portability and Accountability Act
6
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
The IT framework that is considered most closely aligned
with COSO was developed by the IT Governance Institute
and is known as CobIT (Control Objectives for Information
and Related Technology). CobIT is a comprehensive
approach to IT governance. Controls related to information
security are found in several sections and include:
authentication, access control, user account management,
credential life cycle management, non-repudiation, audit
controls, data integrity and encryption.
Gramm-Leach-Bliley (GLB)
The United States Financial Modernization Act of 1999, also
known as “Gramm-Leach-Bliley” or GLB includes provisions
to protect personal financial information held by financial
institutions such as banks, securities firms, insurance
companies and other companies selling financial products
and services to consumers.
GLB applies to all financial institutions operating in the
United States that are regulated by the Office of the
Comptroller of the Currency (OCC) and it mandates the
protection of consumer financial information. It demands
privacy protections that include disclosure of policies and
practices regarding the treatment of financial information
and also places restrictions on the sharing of information.
Regulated entities must ensure the security and
confidentiality of consumer financial information against
“reasonably foreseeable” internal or external threats. From
an IT security perspective, you must implement a process
that assesses and monitors the threat environment, as well
as tools and policies to counter threats. GLB requires the
establishment of administrative, physical and technical
safeguards to protect the security, confidentiality and
integrity of consumer financial information. Specific
technical safeguards include access control, authentication,
encryption, audit controls and data integrity controls.
It requires that regulated companies develop and enforce
an information security program which includes a risk
assessment. Like most regulations, GLB is technologyneutral.
The Health Insurance Portability and Accountability Act
The U.S. Health Insurance Portability and Accountability Act
(HIPAA) was originally enacted to allow portability of
health insurance between jobs but greatly expanded to
include the Administrative Simplification Section. HIPAA
applies to all health care providers, payers and
clearinghouses. Within HIPAA, there are two rules in
particular that affect information security: the HIPAA
Privacy Rule and the HIPAA Security Rule.
Sarbanes-Oxley (SOX)
The Public Company Accounting Reform and Investor
Protection Act-most commonly referred to as Sarbanes-
Oxley (SOX)-was enacted in the United States in 2002 as
comprehensive legislation intended to reform the
accounting practices, financial disclosures and corporate
governance of public companies.
Designed to reduce fraud and conflicts of interest, SOX has
far-reaching impact within today’s American business
environment. It calls for stringent accountability in the
corporate decision-making process and increased financial
transparency to improve public confidence in the financial
reporting systems of corporations. SOX applies to all
companies that are publicly traded in the United States and
regulated by the Securities and Exchange Commission (SEC).
It mandates that these organizations ensure the accuracy of
financial information and the reliability of systems that
generate it. An important part of ensuring the accuracy
and reliability of financial reporting is having a rigorous
information security program.
SOX is an extensive regulation covering many aspects of
accounting, financial reporting and corporate governance.
The sections most relevant to information security include
sections 302 and 404, which address the accuracy of
financial statements and internal controls. Under section
302, the CEO and CFO must personally certify that financial
statements are accurate and that all material information
has been appropriately disclosed. Under section 404,
management must perform an assessment of internal
controls over financial reporting and obtain attestation
from external auditors annually.
In other words, section 404 requires that companies not
only establish and maintain an adequate internal control
structure but also assess its effectiveness on a yearly basis.
To comply with section 404, publicly traded companies are
expected to use an accepted framework to establish
appropriate internal controls, and the SEC specifically cites
that of the Committee of Sponsoring Organizations of the
Treadway Commission (COSO). The COSO framework makes
general references to IT controls but is not a specific IT
framework.
APPENDIX: OVERVIEW OF EACH REGULATION
7
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
The HIPAA Privacy Rule covers privacy rights, including uses
and disclosures of Protected Health Information (PHI). It
includes minimum necessary provisions which require
organizations to provide workers with access to only the
minimum necessary information needed to perform their
jobs. The HIPAA Security Rule requires that covered entities
ensure the confidentiality, integrity and availability of all
electronic PHI and requires them to protect information
against any reasonably anticipated threats, hazards, uses or
disclosures.
Under HIPAA Security, covered entities must perform a risk
analysis and implement “reasonable and appropriate”
measures; that is they must implement best practices for
information security. HIPAA is technology-neutral and
outlines specific administrative, physical and technical
safeguards to protect the security, confidentiality and
integrity of patient information. Technical safeguards
include authentication, access control, transmission security,
audit controls and data integrity.
21 CFR Part 11
Title 21 of the United States Code of Federal Regulations
Part 11 (21 CFR Part 11) applies to all organizations
regulated by the Food and Drug Administration (FDA),
which includes pharmaceutical, biotech, medical device,
food and cosmetic companies. It outlines the FDA’s
requirements for electronic records and electronic
signatures and is designed to prevent fraud while
permitting the widest possible use of electronic technology
to reduce costs incurred from paper processes.
For “closed systems” such as a LAN, organizations are
required to implement controls designed to ensure the
authenticity, integrity-and when appropriate-the
confidentiality of electronic records, and they must ensure
that the signer cannot readily repudiate the signed record as
not genuine. This requires the ability to limit system access to
authorized individuals and to document an audit trail. For
“open systems” such as the Internet, regulated organizations
are required to use all of the controls for closed systems plus
implement additional measures such as encryption and
digital signatures. In other words, the requirements include
authentication, access controls, data integrity controls, audit
controls, encryption and digital signatures.
While the original compliance deadline was set for 1997,
the FDA released their Final Guidance for Industry in August
2003 which re-examined Part 11 and narrowed the scope,
providing enforcement discretion for some provisions. 21
CFR Part 11 outlines a risk-based approach for analyzing
processes, identifying the records that need to be secured
and implementing the controls to mitigate risks.
Annex 11 Computerized Systems
Annex 11 of the European Union Directives for Good
Manufacturing Practices (GMP) guidelines applies to all
pharmaceutical manufacturers in the E.U. which use
computerized systems in manufacturing, storage,
distribution and quality control of medicinal products.
The Directives for GMP were adopted in 1991 and Annex 11
was added in 1998 based on the general principle that no
resultant decrease in data quality would be acceptable as
computerized systems replaced manual systems. Annex 11
includes requirements for training, validation and
documentation, as well as built-in checks for the correct
entry and processing of data; specifying that data can be
entered or amended only by authorized persons, there
must be access controls and credential life cycle
management.
The central consideration is that “records are accurately
made and protected against loss or damage or
unauthorized alteration so that there is a clear and
accurate audit trail throughout the manufacturing process
the licensing authority for the appropriate time.” This
includes the ability to log unauthorized attempts to access
information, record the identity of all computer operators
and document a complete audit trail of all access to
privileged information.
European Union Data Protection Directive
In 1995, the Council of the European Union enacted the
95/46/EU Data Protection Directive to allow the free flow of
personal data between member states by harmonizing the
level of adequate protection of information. The scope of
the directive is limited to the processing of personal data,
including automatically processed data and manual data in
a filing system.
It covers conditions for processing of personal data
including the confidentiality and security of processing and
provisions for transfer to third country. For confidentiality
and security of processing, an organization must implement
appropriate technical and organizational measures to
protect personal data against accidental or unlawful
APPENDIX: OVERVIEW OF EACH REGULATION
8
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
destruction or accidental loss, alteration, unauthorized
disclosure or access, in particular where the processing
involves the transmission of data over a network, and
against all other unlawful forms of processing. Transfer of
personal data to third countries may take place only if the
third country in question ensures an adequate level of
protection. The U.S. Safe Harbor Arrangement is a
streamlined means for U.S. companies to comply with the
Directive and was developed by the U.S. Department of
Commerce in consultation with E.U.
Basel II
The new Basel Capital Accord (Basel II) is an effort by
international banking supervisors to update the original
international bank capital accord (Basel I), which has been
in effect since 1988. The Basel Committee on Banking
Supervision, on which the United States serves as a
participating member, developed the current proposals.
They aim to improve the consistency of capital regulations
internationally, make regulatory capital more risk sensitive,
and promote enhanced risk-management practices among
large, internationally active banking organizations. Basel II
intends to better align bank capital requirements with
underlying risk. Banks will be required to monitor, mitigate
and disclose risk and the lower the operational risk, the
lower the capital requirements.
Basel II applies to global financial services organizations,
specifically internationally active banks which have assets
greater than $250 billion or foreign exposures greater than
$10 billion. It calls for the implementation of a framework
for risk management. In the U.S., agencies responsible for
Basel II include the Federal Reserve Board, the Office of the
Comptroller (OCC), the Federal Deposit Insurance
Corporation (FDIC) and the Office of Thrift Supervision
(OTS), which make up the Federal Financial Institutions
Examination Council (FFIEC). An applicable framework for
information security in order to meet Basel II in U.S. is the
“FFIEC Information Security Booklet (2003)”. Requirements
that can be addressed by security technologies include
(from the security controls implementation section of
FFIEC): access rights administration, authentication,
network access, operating system access, application access,
remote access, logging and data collection.
Japanese Data Protection Directive
The Data Protection Directive applies to private companies
in Japan that handle personal information, although it
excludes media and writers. It requires companies to specify
the purposes for which data will be used and notify
individuals that data has been acquired.
This directive is expected to be followed by specific
legislation for healthcare, finance and telecom industries.
Requirements include the ability to safeguard personal
data and protect it against loss, failure and leakage.
APPENDIX: OVERVIEW OF EACH REGULATION
9
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
Authentication RSA SecurID® two-factor authentication verifies the identity of users with a high degree of assurance.
It is an industry-standard solution for implementing a high-level of secure access. RSA Keon® digital
certificate management system can provide authentication for remote or enterprise access.
RSA ClearTrust® software is designed to centralize the management of authentication services,
support resource-based authentication and support multiple methods of authentication.
Access Control, User
Account Management
RSA ClearTrust web access management system can be used to centralize access control and
enforce access control policy across multiple applications. It also streamlines administration,
providing a secure and efficient means to manage user identities and access privileges. Users
experience the convenience of single sign-on to multiple applications. RSA® Federated Identity
Manager software allows organizations to share and manage trusted identities across business
boundaries and users to access multiple domains. It also facilitates the enforcement of security
policies across multiple partners.
Credential Life Cycle
Management
RSA ClearTrust software and RSA Security authentication systems can be used to create, modify
and revoke digital identities throughout their entire life cycle. The provisioning component
automates the process of managing accounts across a user’s life cycle. More specifically,
provisioning allows centralized departments to quickly activate, modify or de-activate defined
user accounts across multiple applications and identities.
Non-repudiation RSA Keon digital certificate management system can generate digital signatures, which can be
used to provide proof of transactions. RSA SecurID® and RSA ClearTrust systems can help ensure
non-repudiation for transactions by providing audit trails.
Audit Controls RSA SecurID, RSA Keon and RSA ClearTrust systems provide extensive logging and reporting of
authentication and/or authorization events for audit controls. RSA ClearTrust web access
management can track the users’ access to information as well as the users’ actions such as
reading, writing, creating and modifying files.
Data Integrity RSA Keon digital certificate management provides for digital signatures, which are used in
ensuring data integrity.
Encryption RSA BSAFE® software is used to implement encryption into databases as well as applications and
devices that transmit data over the Internet. RSA Keon digital certificate management system
provides for encryption of e-mail messages and for secure web sessions.
REGULATORY
REQUIREMENT COMPONENTS OF RSA SECURITY’S I&AM SOLUTION
RSA SECURITY’S I&AM SOLUTION AND REGULATORY COMPLIANCE
10
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
ClearTrust, Keon, BSAFE, RSA, RSA Security, the RSA logo, RSA Secured, SecurID and Confidence
Inspired are registered trademarks or trademarks of RSA Security Inc. in the United States and /or
other countries. All other products or services mentioned are trademarks of their respective owners.
©2004 RSA Security Inc. All rights reserved.
ACCIAM WP 0704
About Accenture
Accenture is a global management consulting, technology
services and outsourcing company. Committed to delivering
innovation, Accenture collaborates with its clients to help
them become high-performance businesses and
governments. Accenture offers both the technology and
regulatory expertise that helps companies worldwide
implement I&AM solutions that not only ensure compliance
with regulatory requirements, but better protect critical
information and enable the profitable growth of e-business
activities. With deep industry and business process
expertise, broad global resources and a proven track record,
Accenture can mobilize the right people, skills and
technologies to help clients improve their performance.
With approximately 95,000 people in 48 countries, the
company generated net revenues of U.S.$11.8 billion for
the fiscal year ended Aug. 31, 2003. Its home page is
www.accenture.com.
About RSA Security
RSA Security Inc. helps organizations protect private
information and manage the identities of people and
applications accessing and exchanging that information.
RSA Security’s portfolio of solutions-including identity and
access management, secure mobile and remote access,
secure enterprise access and secure transactions-are all
designed to provide the most seamless e-security
experience in the market. Our strong reputation is built on
our history of ingenuity, leadership, proven technologies
and our more than 15,000 customers around the globe.
Together with more than 1,000 technology and integration
partners, RSA Security inspires confidence in everyone to
experience the power and promise of the Internet. For
more information, please visit www.rsasecurity.com.
I'm not a premium member and I have a number of people "hidden". It's sometimes funny to just see the swirl of angst created by UG, GS, et al. These posters often will preach to the chior "you must ingore these bashers!". Just do it. I just click on the name in the message and then select "Hide this poster".
here, here! ( or is it hear, hear!?)
This is from NetworkingPipeline:
http://www.networkingpipeline.com/news/59200059
January 31, 2005
IT Managers Prefer Hardware-Based Security Over Software Solutions: Survey
Britestream Networks finds that fifty four percent of respondents look to hardware to secure their networks
By Networking Pipeline Staff Networking Pipeline
IT managers prefer hardware-based security solutions to software solutions, according to a recent study by Britestream Networks of 300 IT professionals in companies with annual revenues of more than $30 million.
The survey found that over half (54%) of respondents preferred a hardware-based solution, consisting of either a pre-bundled, standalone hardware appliance or an embedded feature in network hardware equipment, over a software-based solution when asked how they would prefer to deploy network security in their organization.
Britestream Networks claims that the findings shows a significant shift toward hardware-based over software-based security, because the predominant method for deploying security in the past has been via software.
"The reasons for the shift to a hardware preference are clear," Mike Salas, vice president of marketing for Britestream said in a statement. "With a hardware solution that completely offloads and performs security functions separately, customers can free up their existing computer resources for other applications. Hardware is also easier and faster to implement, easier to maintain, and ultimately more secure than software because it's a self-contained, impermeable entity that doesn't require patching or other hands-on maintenance."
I recieved a whitepaper from RSA Security today pitching a cooperative solution for "Identity and Access Management" (implementation partner is Accenture in this pitch.) At any rate, the paper does has a nice chart of various government regulations (existing and impending/foriegn and domestic) married with their associated security requirements. After a reading the paper I wonder if the recent French "CB" announcement might not indicate a potential for Wave to satisfy at least part of the Basel II 2006 mandate on international banking. If this were the case I wonder what opportunities the other regulations may offer (Sarbanes-Oxely, Graham-Leach-Bililey, HIPAA, 21 CFR Part 11, Annex 11, European Data Protection Directive, Basel II, and the Japanese Data Protection Directive.) Can anyone tell me if the RSA solution is a competitor or complimentor of Wave?
OK. My ID is new. I had been invested in WAVX in 89-2001. Am newly reinvested. I had an ID on Raging-Bull (aeolus, I believe... a sailing thing), but have since changed ISPs and don't really know (or care) how to reactivate and reconnect to my old alias.
Looking forward to finding out what my handle is.