In the latest episode of eIQcast, Host Ross Levanto and eIQnetworks Product Evangelist John Linkous analyze Hathaway’s comments and the industry’s reaction to them. The report Hathaway recently completed and sent to the President has not been made public; it’s expected that many of her recommendations will emphasize the need for ongoing monitoring of networks and security controls, as well as the need for the White House to step up its management of IT security across the entire government.

Editor’s note: This episode was recorded on Friday, May 1, and therefore references the RSA Conference that ended on April 23.

Running time: 10:57

Direct Link: http://eiqcast.podOmatic.com/entry/2009-05-04T08_49_21-07_00

In this episode of eIQcast, Ross Levanto interviews eIQnetworks Product Evangelist John Linkous. They walk through the new initiative outlined in the act and the timeline for the new IT rules addressing electronic record protection.

Running time: 11:22

Direct Link: http://eiqcast.podOmatic.com/entry/2009-03-16T13_40_07-07_00

Running time: 11:42

Direct Link: http://eiqcast.podOmatic.com/entry/2009-01-13T08_32_55-08_00

Fortunately, some standards and frameworks for managing security are really starting to mature, to the point where they can become a starting point for building risk-driven common controls that easily map to regulations and other compliance drivers. Most of these frameworks and standards have been around for a number of years but through a combination of broad adoption, continuous feedback from adopters, and a mature management and improvement process, they are rapidly becoming a great starting point for building comprehensive information security. Here are three that I believe are well-balanced (addressing both technical and logical controls), risk-based (where the implementation of some or all controls is based on an analysis of risk to systems and data), and can be implemented across any industry:

• · PCI Security Council (PCI) Data Security Standard (DSS) 2.0 – Recently released, the 2.0 version of the PCI-DSS standard focuses on a solid combination of static, pre-defined technical controls (e.g., minimum password lengths and complexity requirements), risk-based technical controls (e.g., business continuity infrastructure), and logical controls (e.g., written policies and procedures, and separation of duty). Although designed specifically for securing chain of custody around credit card data, PCI-DSS is rapidly becoming a standard of controls that organizations are applying to different types of data.
• · ISACA Control Objectives for Information Technology (COBIT) 4.1 – The COBIT framework has long been a framework for managing information security. With a focus on processes – not just technology – COBIT has become the standard high-level framework used by global auditing firms to audit against compliance with SOX Sections 302/404, J-SOX, and other major financial regulations that address financial controls. Like other frameworks, COBIT is relatively light on technical controls (although there are some specific technical controls defined for applications, such as event auditing and monitoring); instead, the goal of COBIT is to provide a framework for using risk-based decisions to build and maintain a complete IT management program.
• · International Standards Organization (IS) 27002:2005 – One of many IT-related best practice documents issued by ISO, ISO27002 (formerly known as ISO17799) is geared toward helping an organization establish risk-based decisions to build and maintain a security program. Unlike COBIT, which is focused on general IT controls, ISO27002 focuses very squarely on information security. Being part of the ISO family, ISO27002 is augmented with additional ISO-delivered guidance to help certain verticals – healthcare and financial services, for example – implement specific controls that are not only ISO27002 compatible, but compatible with other industry-specific laws and guidance.