Security Management

The organization is subject to data retention requirements resulting from a mix of legal, industry, and business mandates. These data retention requirements govern the storage of the organization's information, records, and data. Regulations dictate that different data types be stored for specific periods. They also dictate the media storage format that must be used to store specific data types.

The organization's Data Retention Policy exists to ensure all organization information, records, and data are retained and stored in compliance with legal, industry, and business regulations. It includes a policy you can customize to meet your needs as well as a risk assessment spreadsheet you can use to judge just how much your organization is at risk by not having this policy in place.

Download Page

These guidelines apply to all participants in the new information society and suggest the need for a greater awareness and understanding of security issues, including the need to develop a "culture of security" - that is, a focus on security in the development of information systems and networks, and the adoption of new ways of thinking and behaving when using and interacting within information systems and networks. The guidelines constitute a foundation for work towards a culture of security throughout society.

Generally Accepted System Security Principles incorporate the consensus, at a particular time, as to the principles, standards, conventions, and mechanisms that information security practitioners should employ, that information processing products should provide, and that information owners should acknowledge to ensure the security of information and information systems.

GASSP relates to physical, technical, and administrative information security and encompasses pervasive, broad functional, and detailed security principles. GASSP nomenclature considers the terms policy, rules, procedures, and practices to relate to the organizational implementation of security. Information technology (IT) changes rapidly, and GASSP are expected to evolve accordingly. Consensus regarding accepted information security principles is achieved first within the GASSP Committee followed by international IT community review.

GAAP versus GASSP?

If you are an Information System Auditor, an Security Analyst or even a Chief Information Officer. Then at some high level of management you will need this Free Security Management Application. Security Management And Risk Tracking is a web based application to manage information security practice. This is a comprehensive solution that enables a corporation to manage:
· Information security policy
· Security policy exception handling
· Security Certification and Accreditation (SC&A)
· Issue tracking for security audit, pen testing, SOX, and so on
· Third party connection management
· Asset and vendor managementA number of other services are also included in this solution. This is an enterprise ready application that greatly reduces the time and effort to manage a security practice.

Key Feature
· Web based user interface

Perhaps, one of the biggest questions every internal IT auditor must answer is about IT Inventory Management. And the next question would be:

- Do we know which software or hardware component is installed on a computer?
- Are we able to deploy software or configuration scripts on your computers?
- Do we know all devices connected to your IT network?

This question is easy to be answered if we use proprietary solution from Microsoft SMS or Novell, however if we want to rely to Open Source then OCS Inventory NG is one of the best choice. OCS Inventory NG is an application designed to help a network or system administrator keep track of the computers configuration and software that are installed on the network.

By using this application every question above could be answered within a short period of time. Why don't you try?

Website

Since the massive implementation of information technology, the need of proper end point security become one of the critical discussion in the company about how manage end point security effectively.

End Point Security Definition:

• A strategy in which security software is distributed to end-user devices but centrally managed [searchsecurity.techtarget.com]
• An information security concept that basically means that each device (end-point) is responsible for its own security [wikipedia.com]
• An individual computer system or device that acts as a network client and serves as a workstation or personal computing device[endpointsecurity.org]

Example of  End Point Devices:
Laptop, PCs, Handhelds, specialized equipment such as inventory scanners and point-of-sale terminals

An auditing system consists of three components: the logger, the analyzer, and the notifier. These components collect data, analyze it, and report the results.

1. Logger
Logging mechanisms record information. The type and quantity of information are dictated by system or program configuration parameters. The mechanisms may record information in binary or human-readable form or transmit it directly to an analysis mechanism (see Section 21.2.2). A log-viewing tool is usually provided if the logs are recorded in binary form, so a user can examine the raw data or manipulate it using text-processing tools.

EXAMPLE: Microsoft's Windows NT has three different sets of logs. The system event log contains records of events that Microsoft has determined warrant recording, such as system crashes, component failures, and other events. The application event log contains records that applications have added. These records are under the control of the applications. The security event log contains records corresponding to security-critical events such as logging in and out, system resource overuses, and accesses to system files. Only administrators can access the security event log.

What is Patch
Patches are additional pieces of code developed to address problems (commonly called “bugs”) in software. Patches enable additional functionality or address security flaws within a program. Vulnerabilities are flaws that can be exploited by a malicious entity to gain greater access or privileges than it is authorized to have on a computer system. Not all vulnerabilities have related patches, and system administrators must be aware not only of applicable vulnerabilities and available patches but also other methods of remediation (for example, device or network configuration changes, employee training) that can limit the exposure of systems to vulnerabilities.

Why Patch is important?
Timely patching of security issues is generally recognized as critical to maintaining the operational availability, confidentiality, and integrity of any system. However, failure to keep operating system and application software patched is one of the most common issues identified by security and IT professionals. New patches are released almost on a daily basis, and it is often difficult for even experienced system administrators to keep abreast of all the new patches and ensure proper deployment in a timely manner.

Firefox 3 breaks the Guinness World Record is common news. This browser downloaded by more than 8 million people in 24 hours. But not only for the biggest download in one day, Firefox will also breaks the Guinness World Record for the world fastest security flaws.

This is according to TippingPoint a provider of network-based intrusion prevention systems, was informed about existing security issues in Mozilla Firefox 3.0 through its program Zero Day Initiative (ZDI) that rewards security researchers for exclusive information disclosing vulnerabilities founded in software products

Basically there are five key requirements for choosing the right mobile solution provider consist of:
- Enterprise-class security
- Application optimization with real-time push synchronization
- Broad handheld support and device-level integration
- Robust fleet management tools
- Flexible service and support

Based on research by Motorola group, Wireless access to enterprise information is going mainstream-driven largely by the needs and requests of individual employees within the enterprise. But while the need for wireless access is coming from the bottom up, the management of wireless access needs to be driven from the top down. Otherwise enterprises may find that wireless information access is a complex, chaotic and expensive endeavor with only ambiguous benefits. The key to turning wireless information access into a strategic IT initiative that delivers tangible ROI is developing an enterprise wireless information access strategy.