The Court found that the method by which Public Company Accounting Oversight Board (PCAOB) members are appointed does not grant the Executive branch sufficient oversight because of the restrictions on when members can be removed from their position. According to Chief Justice Roberts' opinion, "The consequence is that the Board may continue as before, but its members may be removed at will by the (Securities and Exchange) Commission." And for those arguing that SOX doesn't have a severability clause that maintains the act's legality even when a portion of it is overruled, Roberts clarifies that "the unconstitutional tenure provisions are severable from the remainder of the statute."
Last Monday, Stephanie Balaouras and I recorded a podcast on a recent hot topic amongst Forrester clients — Enterprise Role Management (ERM). For the most part, people understand fundamental provisioning so I wanted to take this time to go through ERM in a little more detail.
Over the past few months, I have been asked many questions about taking ERM to the next level — about how to expand and automate identity management infrastructure. Before determining whether this is the right step for your company, however, it's important to understand the two most important benefits from doing so and also recognize the prerequisites.
Among others, two benefits of ERM are security and compliance. Achieving a more mature role management system will increase your organization’s security around information sharing, and it will enable understanding of the segregation of duties. Before achieving this level of security and compliance, it’s important to simplify your identity repository and create a clear-cut set of records. This allows for a recertification phase when managers can take the time to revoke or grant access to existing accounts. Once you have created a clean, up-to-date role management database, your organization is ready to look forward to taking ERM to the next level.
After speaking with many clients on this topic, I have garnered a solid list of best practices that everyone should be aware of before attempting to strengthen any ERM system. These practices include data points around user population and recertification timelines, whether or not a hierarchical approach should be adopted to organize roles, and the value of tools such as Web single sign-on and security incident and event monitoring as they relate to role management.
Organizations continue to face risk for security breaches. Normally, we talk about the risk of security breaches being fines and other costs around loss of PII, per California Senate Bill 1386 and similar laws in 45-or-so other states.
The FTC specifically identified these practices (among others) that constituted insufficient care:
In my ongoing work with risk management professionals, I've been encouraged to see how quickly the role is growing in influence and responsibility in today's business environment (even though the drivers for that elevation are often disastrous). Along those lines, I read a great article this morning in StrategicRISK, discussing the window of opportunity for risk experts, aptly entitled Keep Your Eyes on the Prize.
The article quotes the Institute of Risk Management's deputy chairman, Alex Hindson, who says that top executives and boards of directors are looking for risk management guidance, and if risk experts in their organizations can't step up to fill that role in their "window of opportunity," it will be filled instead by auditors, finance professionals, or external consultants.
In my recent engagements with Forrester's clients in risk management, I've certainly seen a lot of interest and participation from other functions in the business - most notably audit and IT. And just last week, my colleague Craig Symons published a report explaining key issues in risk management for the CIO.
We recently embarked on a Forrester-wide research project to benchmark the use of social technologies across enterprise organizations. Why is this important? Well as you may know, we cover social technologies from a wide range of perspectives — from roles in marketing to IT to technology professionals. We find each of these roles differ in their general “social maturity” and that most companies are experiencing pockets of success, but few, if any, are successfully implementing it across the board. In fact, full maturity in this space could take years, but there are clear differences in how some “ahead of the curve” companies are using social technologies for business results.
There are serious security and risk concerns with social technology but there are also significant business and operational benefits. Security professionals have to determine how they can mitigate these risks to an acceptable level without significantly hampering the business. If you haven’t seen it, Chenxi Wang has written an excellent report on how effective management of social media can alleviate security risks. Check out To Facebook Or Not To Facebook.
There is also some discussion about how security professionals might use social technologies to their own benefit — particularly to leverage the knowledge of other security professionals to combat the growing sophistication of security attacks. If you haven’t seen it, check out John Kindervag’s report SOC 2.0: Virtualizing Security Operations.
A few weeks ago, Stephanie Balaouras and I posted a podcast on a topic that has been a high priority for many of our customers — how to apply risk management techniques to IT security. We know that many of you are feeling the pressure to take the lead in IT risk management and in some cases even play a role in initiating risk management at the corporate level.
The key to success is understanding the core elements of risk management and how to plug them into existing processes without creating simply another layer of overhead. A major theme of my recent research has been on existing risk management standards and how they are being applied to IT Security and Risk functions. For example, the ISO 31000 risk management standard outlines a five-step process for formalized risk management. My January report, Introducing ERM To IT Security And Risk , provides a summary of the standard, and I will be expanding upon the next steps in my upcoming research documents. In addition, look out for my next doc on Regulatory Intelligence, to be published in the next few months.
In the meantime, I encourage you to listen to this podcast to hear about best practices and lessons learned from clients who have gone through these steps. And as always, I welcome any questions or feedback.
Valleywag reported yesterday that a hack targeting AT&T’s infrastructure led to the disclosure of 114,000 iPad owners' email addresses, including those of prominent celebrities, politicians, and high-profile industry figures.
As far as we can gather at this point, this is most likely a parameter tampering attack. The hackers attacked AT&T’s iPad support Web application, traversed through a range of ICCIDs (Integrated Circuit Card Identifiers), and were able to eventually obtain valid iPad owners’ email addresses without proper authentication.
If this is indeed true, AT&T has done a poor job designing their Web applications — being able to guard against automated parameter traversal attacks is one of the first things you do to secure your Web apps. One can launch an automatic parameter traversal attack fairly easily these days: It does not require sophisticated technology or advanced reconnaissance on the victim Web application.
This attack apparently only affected iPad 3G users, not those with Wi-Fi-only iPads. AT&T's official response stated that this particular flaw on their Web application has been remediated.
With this purchase, the major offerings that Autonomy picks up are CA Records Manager (which stems from CA’s 2006 acquisition of MDY Group International) and CA Message Manager (which comes from CA’s 2005 acquistion of iLumin). In 2009, I evaluated records management offerings and rated CA Records Manager as a leader in this category. Forrester clients can access the June 23, 2009, “The Forrester Wave™: Records Management, Q2 2009” report for further details.
From its prior acquisitions of Interwoven in 2009 and Meridio in 2007, Autonomy has two existing records management applications. Largely leveraging its 2007 purchase of ZANTAZ, Autonomy also currently markets several message archiving solutions including Digital Safe (cloud-based archiving solution), Enterprise Archive Solution (on-premise archiving software), Arcpliance (on-premise archiving appliance), and more. After it completes the acquisition of CA Technologies’ Information Governance business, Autonomy will have three distinct offerings for records management and over four for message archiving.
Earlier this week, Forrester Research published my Market Overview: Enterprise Rights Management report. Brian Hill and I examined eight vendors in the enterprise rights management (ERM) space: Adobe, Microsoft, GigaTrust, Liquid Machines, NextLabs, Oracle, EMC, and Covertix. We found that the space is evolving to become less of a standalone market. From the report:
Because ERM allows data to protect itself via encryption, it is theoretically the perfect security technology for a world where the “dissolving perimeter” is an established fact. But historically, most enterprises don’t use ERM on an enterprisewide basis and do not use it to protect documents shared outside company boundaries. High cost, application rigidity, and integration shortcomings have limited market adoption. Forrester expects that ERM’s appeal will widen in the future. Integration with data leak prevention technology, content management infrastructure, and other risk mitigation solutions will drive adoption growth, particularly as enterprises roll out the latest versions of Microsoft Exchange and SharePoint.
Yesterday, June 8, 2010, Microsoft released 10 security bulletins, three rated as "critical" and seven rated as "important," to address a total of 34 software vulnerabilities. Of these bulletin items, users should prioritize these four:
MS10-033: Critical on all supported versions of Windows. This update addresses a Windows media file vulnerability that could potentially enable drive-by downloads.
S10-034: Addresses an ActiveX vulnerability.
MS10-035: A cumulative update for Internet Explorer.
MS10-038: Addresses critical vulnerabilities in Excel.
It’s important to note that MS10-038 addresses 14 CVE vulnerabilities, all related to Excel. Many of these vulnerabilities have a “critical” rating. Of the 14 vulnerabilities, only 11 affect Office 2002. Office 2010 is not impacted by any of these.
If you are still running MS Office 2002, it is time to upgrade! In addition to these newly announced vulnerabilities, Microsoft is ceasing support to Office 2002 next month. All the more reason to upgrade!
An important item to note: In addition to Office 2002, Microsoft will cease support for Windows XP service pack 2 and Windows 2000. Users should upgrade to a later version of Windows XP service pack 3.