Security Watch | Matt Hines » May 2006

May 25, 2006 | Comments: (0)

A conversation on ISO 27001 and what it could mean to you

TAGS: Podcast

I took a call recently with Ken Peterson, President and CEO of Churchill & Harriman, to discuss his experiences helping customers implement ISO 27001.

Ken founded Churchill & Harriman in 1982, and the company helps clients develop and implement controls and procedures that identify, value, and mitigate business risk.

Listen to the interview with Churchill & Harriman now. LISTEN!

According to Churchill & Harriman, here are some of the benefits realized by ISO 27001:2005 certified organizations:

- Holistic, risked-based approach to security, privacy and compliance

- Provides a common framework for addressing legislative, regulatory and contractual compliance - Corporate Governance

- Demonstrates credibility, creates trust, improves satisfaction and confidence of stakeholders, partners, citizens and customers

- Demonstrates information security capability according to internationally accepted best practices

- Creates market differentiation due to prestige, image and external goodwill

- Reduces liability risk; demonstrates due diligence; lowers rates on cyber risk insurance premiums

- Demonstrates Certifiable, Proven, Defensible, Cost-Effective, Recognition of Best Practices

- Demonstrates due diligence by maintaining certification through semi-annual 3rd Party surveillance visits

- Reduced cost and business disruption from client risk assessments

- Assures policies & procedures are in accordance with internationally recognized criteria, structure and methodology

- Provides your organization with a continuous protection framework that allows for a flexible, effective, and defensible approach to security and privacy

- Certified Once ... Accepted Globally

Posted by Victor R. Garza on May 25, 2006 07:28 AM

May 19, 2006 | Comments: (0)

Have you Splunked yet?

TAGS: Podcast

I stopped into the JavaOne 2006 conference for a few minutes and had a short conversation with splunk Chief Executive Splunker Michael Baum about splunk's newly released splunk version 2.

Seems like only yesterday that this product was in beta, and now it's already up to version 2. Time flies.

Listen to the interview with splunk now. LISTEN!

Posted by Victor R. Garza on May 19, 2006 06:40 AM

May 15, 2006 | Comments: (0)

Is ISO 27001 the new ISO 9001?

TAGS: None

I've just heard that the Federal Reserve Bank of New York has become the first organization in North America to be certified to the new ISO 27001 global standard for information security best practices.

I'm wondering whether this Fed's certification will cause others to join in on this information security benchmark - hopefully it will.

While I believe standardization is usually good, especially when it comes to information security, it can cause bottlenecks as the process takes place. I remember being part of a large ISO 9000 certification process pre-2000, and of course now all I can remember is having to memorize the company's mission statement in case I was ever asked. But overall these certifications are a good thing, as they offer consistency and organization when it comes to documentation, training, change/process management and operational procedures within an enterprise.

The ISO 27001:2005 standard, that replaced BS7799-2:2002 (which already had over 2,500 organizations worldwide certified against it), is titled "Information Security Management - Specification With Guidance for Use" and is supposed to follow along the lines of ISO 9001 and ISO 14001 for management homogeneity. Being certified for ISO 27001 should also grease the process for other compliance requirements, including the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX).

About ISO/IEC 27001:2005

ISO 27001 is the formal standard against which organizations may seek independent certification of their Information Security Management Systems, meaning their framework to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations. The final version of ISO 27001:2005 is available now from ISO or BSI. More information is available at www.iso.org, www.bsiamericas.com and www.xisec.com.

Posted by Victor R. Garza on May 15, 2006 12:47 PM

May 14, 2006 | Comments: (0)

The new Palm Treo 700P is here!

TAGS: None

And what, you may ask, does this have to do with computer/network/device security? And I would answer, pretty much nothing. But being a Treo cellphone aficionado I am obliged to post this news, since where would us security geeks be without our toys?

So, since I own a later model Treo based cellphone (which is literally connected to my hip partially because I haven't experienced the issues my compadres have), I was dismayed when I heard in December of last year that the Treo OS would be no more. I also had taken the time to query numerous people at different shows, Palm employees and my other contacts, who also assured me that the Palm OS on the phone was gone and I wouldn't be seeing it again. I had almost actually resigned myself to purchasing a Windows Mobile based Treo 700W in the coming month (when I had some time to get to a store between all of the teaching, travel and consulting I've been doing lately). This Microsoft conversion was almost complete when I had moved from the Palm Desktop application completely over to Outlook 2003 as my new personal information manager (PIM) of choice. I was actually quite happy with the PIM transition, especially since my Treo hadn't choked with the new integration scenario, but I still wasn't looking forward to learning the Windows Mobile interface, especially since I continue to like the elegance of the Palm OS on my handheld, not to mention all of the free apps for networking and security that you can get for a Palm based OS versus Windows Mobile.

After getting the NDA scoop last week, the new 700P is out. The only thing that slightly pisses me off about this new box is that that it supports dial-up networking (DUN) via EVDO. This means that you can essentially plug you new Treo into your computer and use it as a high speed, ubiquitously connected, modem. Since this type of connectivity isn't supported with the 700W, in December of last year I went out and signed up for a Verizon PC Card with EVDO (and it's two-year contract). Don't get me wrong, I really like the card and connectivity, but I might not have signed up if I knew that the 700P would fix this little issue and also allow for trickle charging of the phone off the laptop during an EVDO connection.

I've included some slides for the presentation so you can take a look at its capabilities. I'm pretty jazzed.

Some things you don't get from the slides - the screen resolution is higher on the 700P than the 700W, and the 700P does not support Wi-Fi. From my experience with EVDO, I don't think most people will care.

I think that enterprise customers will be happy with these enhancements to the device...

A new app that seems like a definite time saver.

Posted by Victor R. Garza on May 14, 2006 09:01 PM

May 13, 2006 | Comments: (0)

Want to understand the Trusted Platform Module (TPM)?

TAGS: None

Here it is in easily digestible format, courtesy of Fujitsu.

I saw this at a Fujitsu press day a few weeks bank and thought it would be a good thing to share for those of you befuddled by the TPM acronym. While this presentation only scratches the surface, it gives you a jumping off point for further investigation.

Posted by Victor R. Garza on May 13, 2006 12:28 PM

May 07, 2006 | Comments: (0)

Wireless and Metcalfe's law

TAGS: Podcast

LCDR Joseph L. Roth and I have an informal discussion regarding his idea of a wireless extension to Metcalfe's Law. Joe talks about his thesis at the Naval Postgraduate School on mobility and the value of wireless networks.

Listen to the discussion with Roth now. LISTEN!

Posted by Victor R. Garza on May 7, 2006 10:54 AM

May 03, 2006 | Comments: (0)

Smartcards spill the beans

TAGS: Podcast

I was at CardTech/SecurTech 2006 recently and had a meeting with Cryptography Research, a company focused on securing smartcards. I spoke to Kit Rodgers, VP, and Ken Warren, Manager, about smartcard tamper resistance with differential power analysis countermeasures.

Listen to the interview with Cryptography Research now. LISTEN!

Posted by Victor R. Garza on May 3, 2006 02:35 PM

May 02, 2006 | Comments: (0)

Let's talk Smartcards

TAGS: Podcast

I was at CardTech/SecurTech 2006 recently and had a meeting with Anteon, an integrator of government solutions. I spoke to Ray Donahue, VP of Operations at Anteon regarding Anteon's integration and testing of smartcards for Homeland First Responder credentialing, based on the Homeland Security Presidential Directive 12 (HSPD 12). We talk about common credentialing for federal employees and why this type of credentialing is important, and we discuss some recent disaster examples and how credentialing can be used to authenticate individuals in some of those environments.

Listen to the interview with Anteon now. LISTEN!

Posted by Victor R. Garza on May 2, 2006 04:07 PM