Spring World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Bonus Journal

Volume 29, Issue 5

Full Contents Now Available!

Jon Seals

Jon Seals

Six in 10 organizations say they must demonstrate compliance and auditing of privileged accounts indicating that privileged account management (PAM) security is now a firm requirement to comply with government and industry regulations.  This is just one of the many findings from a Benchmark Global Survey with responses from more than 500 IT security professionals from organizations around the world.  The findings indicate that privileged account management is not just a security issue, but also a regulatory compliance issue within their organization or industry.

The Survey is part of a new Report, 2016 State of Privileged Account Management that exposes several, significant security gaps in how organizations manage and secure their privileged account passwords and access and shows the extent to which privileged account management security is rising in priority and required for regulatory compliance.

The main reason privileged accounts are so critical to both industry and regulatory compliance is that privileged accounts contain what are known as the “keys to the kingdom.” These accounts have full permissions to computer systems and environments that typically have access to the locations where sensitive data like financial records, classified data or personal identifiable data like email addresses and credit card and social security numbers are stored.  It is ultimately crucial that organizations monitor and track any unauthorized modifications, theft, sabotage and privacy breaches of privileged accounts.  The U.S. Computer Emergency Readiness Team (CERT) has published several recommendations on how to reduce the risk of insider abuse of accounts. To ensure security controls of privileged accounts are much more secure than regular accounts, they recommend applying a “Least Privilege” approach and implementing security policies and controls with strict password creation and management.  Audit and Track Changes and Continuously Discover and Update Accounts are amongst other security recommendations from CERT.

...

http://corporatecomplianceinsights.com/cybersecurity-compliance-regulations-tougher-privileged-accounts/

Storage systems have become their own unique and complex computer field and can mean different things to different people. So how can we define these systems? Storage systems are the hardware that store data.

For example, this may be a small business server supporting an office of ten users or less – the storage system would be the hard drives that are inside of that server where user information is located. In large business environments, the storage systems can be the large SAN cabinet that is full of hard drives and the space has been sliced-and-diced in different ways to provide redundancy and performance.

...

http://blog.krollontrack.co.uk/pieces-of-interest/make-big-avoiding-data-loss-large-storing-systems/

Geary W. Sikich and Joop Remmé pose three questions which aim to enable organizations to explore the relationship between corporate social responsibility and governance risk and compliance activities/obligations.

Introduction

In this article we posit three questions.  The first question is: “Is it a social responsibility of companies that they undertake a comprehensive risk assessment?”  The second question: “Does the notion of conscience and its application to the generation and use of risk information and information in general, create an obligation for the organization to disclose the results of the comprehensive risk assessment?”  The third question: “How do the people in the organization communicate the information from the comprehensive risk assessment to stakeholders and yet preserve security and protect the organization?”

The three questions may, at first, appear simple and straightforward.  However, as we dissect each, we find that there is significant complexity intertwined in these questions.  While this article does not attempt to provide a rigid framework or hard and fast answers to the above questions, it is our intent to set in motion a dialogue regarding corporate social responsibility (CSR) and its relationship with governance risk and compliance (GRC) activities/obligations that form a social contract between the organization and its stakeholders.

...

http://www.continuitycentral.com/index.php/news/erm-news/1333-the-unintended-consequences-of-risk-reporting

I’ve been working with Citrix products for 13 years and a part of Citrix Consulting for almost 5 years. In that time, I’ve realized that the technical challenges have changed from time to time, but the organizational and administrative challenges remain unchanged.

Topics like infrastructure layout, application delivery methods, project, change and release management are often not defined all that well. These circumstances lead to issues like quality constraints and human resources bottlenecks, which have impacts that are often bigger than the technical problems.

As such, I decided to write a blog series about the importance of business processes as they relate to Citrix virtualization products. Given that such processes are specific to every company, please don’t expect to receive a full set of definitions that you can copy and paste into your environment. The intention of this series is to give you a direction and an idea of what such processes might look like.

...

https://www.citrix.com/blogs/2016/08/15/the-importance-of-business-processes-part-1-release-management/

How do you think your company fares in cybersecurity readiness?

This question came to my mind today after reading two articles. The first was a Tech Target article that discussed what every company should know about cybersecurity readiness. One of the points in this piece covered identity management:

This is made up of various plans, policies, procedures and technology aimed at providing appropriate access to information resources and an understanding of how those resources are used and by whom.

Identity management includes areas such as authentication, authorization and access control. And that leads to the second article I read. eSecurity Planet reported on a recent Ponemon Institute and Varonis Systems study found that more than 60 percent of end users are accessing data that they shouldn’t be, but at the same time, less than a third of IT departments are ensuring that only authorized people have access on a need-to-know basis.
 
...