Data breaches. You ve gleaned all you can from the headlines; now you have access to information directly from the investigator s casebook. The 2008 Data Breach Investigations Report draws from over 500 forensic engagements handled by the Verizon Business Investigative Response team over a four-year period. Tens of thousands of data points weave together the stories and statistics from compromise victims around the world. What valuable insights can your organization earn from them?

To successfully sustain SOX compliance, organizations must implement best practices to ensure IT systems not only achieve a known and trusted state but they also maintain that state. Management must be more accountable and aware of the need for a continuous and proactive operational risk management environment that recognizes the links between its technology infrastructure, business processes, reputation, compliance, and internal controls. It is vital that Tripwire configuration audit and control solutions are used as an integral element of sustained compliance initiatives.

The ISO 27001 standard was published in October 2005 as a replacement to the BS7799-22 standard. It is primarily referred to as the Information Security Management System (IISMS) certification standard. Organizations that seek to implement an ISMS are examined against ISO 27001. The objective of this standard is to As with several global standards,the scope of this standard is far reaching, with several sets of control objectives and guidelines.Its fundamental purpose is to act as a compendium of techniques for securing IT environments and thus effectively managing business risk as well as demonstrating regulatory compliance. ISO 27001 is recognized internationally as a structured methodology for information security.A widely-held opinion is that ISO 27001 is an umbrella over other standards (such as PCI, SOX, GLBA, HIPAA and COBIT). Companies that choose to adopt ISO 27001 demonstrate their commitment to high levels of information security,as there are 11 major contro

This IDC White Paper examines Novell's identity and security management (ISM) solutions and how these integrated offerings can play a key role in enforcing security compliance for enterprise organizations. When properly implemented and deployed, these solutions help companies to: *Avoid violations of government and industry regulations *Avoid the leakage of intellectual property *Drive down the cost of compliance through integration, consolidation, and automation

CFR Part 11 of title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures sets forth the requirements for the creation, modification, maintenance, archival, retrieval, and transmittal of electronic records and also the use of electronic signatures when complying with the Federal Food, Drug and Cosmetic Act or any other Food and Drug Administration (FDA) regulation. These rulings became law in March 1997. Since that time, both industry and the FDA have been working to interpret the meaning and intent of Part 11. The FDA has created several documents with the assistance of industry representatives, to offer guidance in interpretation of the requirements. Even with these efforts, the requirements are still somewhat of a moving target. Pilgrim Software is continuously monitoring the opinions of the FDA to ensure continued compliance with the requirements.

The General Services Administration (GSA) has awarded a supply contract to Industrial Safety Solutions for their SafetyPro line of industrial labeling equipment and supplies. This new federal contract will give government and military agencies better access to compliance and safety labeling, which have been proven to reduce accident injuries in the workplace. Safety labeling is required by regulatory agencies such as OSHA, and is viewed as a top priority in mitigating occupational hazards. It is estimated that as many as 70% of all worksites, including government operated worksites, have insufficient or outdated visual hazard identification.

Alfred Sloan, the legendary former CEO of General Motors, popularized financial controls for corporate governance, but financial controls have never before received as much widespread attention as they do today. Thanks to the Sarbanes-Oxley Act of 2002, enterprises must devote significant resources to applying Sloans basic principles in todays e-business world. As businesses seek to implement, document, monitor, and report on the effectiveness of their financial controls for Sarbanes-Oxley compliance, they are also readdressing issues that first rose with Sloans model for financial controls how should businesses balance the tradeoffs between stringent controls, operational efficiency, and acceptable business risk?

After fortifying their networks perimeters against the external threats from mysterious computer hackers, enterprises are now focusing their attention on eliminating the recognized inside threats of systems-based fraud, misuse, and errors. Every organization faces the risk of technically capable, application-facing employees and insiders who exercise their knowledge of system rules and procedures to

How concerned are companies about the content of email leaving their organizations? And how do companies manage the legal and financial risks associated with outbound email? To find out, Proofpoint and Forrester Consulting (a division of leading analyst firm Forrester) conducted an online survey of technology decision makers at 424 large companies - in the US, UK, Germany, France and Australia - during March 2008. This report summarizes the findings of Proofpoint's fifth-annual email security and data loss prevention study, including surprising statistics about how large companies manage the risks associated with outbound email, blog postings, media sharing sites, social networking sites, mobile Internet-connected devices and other electronic communications streams.

This paper describes how businesses can use F5 Networks BIG IP Global Traffic Manager to leverage all the benefits of their secondary site in an active active configuration to holistically manage their applications across multiple sites.This paper also describes how you can use BIG IP Link Controller to maintain ISP link connectivity and WANJet to accelerate site to site data a replication across the WAN.

This paper addresses the increased performance needs of a disaster recovery plan, and the common barriers to achieving success. It also addresses the performance gains that can be achieved by combining a F5 WANJet application acceleration solution with Double-Take replication solutions from Double-Take Software.

Protecting its clients and their assets is a huge responsibility -one that Charles Schwab takes very seriously.The company upholds that commitment by making security and privacy a cornerstone of its business philosophy,and more importantly putting its money where its mouth is by investing heavily in addressing evolving online security- related needs.Its latest investment:a new class of authentication,the Extended Validation SSL Certificate,which allows online customers to see,at a glance,if the site they are visiting is one they consider trustworthy or a fraud masquerading as a legitimate site.. Schwab s commitment to information security speaks directly to the biggest issue that every financial services organization faces:Trust. Whether actually a victim,most individuals see themselves as potential prey to any number of electronic crimes,from an account take-over to credit card fraud or identity theft. Who could really blame them? asks Mick Kless,,Vice President of Professional S

Electronic messaging applications are mission-critical for most enterprises, yet securing them from threats and managing them to meet regulatory and compliance requirements have never been more challenging.Microsoft Exchange Hosted Services offers enterprise-class, affordable services that can protect the messaging infrastructure,simplify email management, and reduce risk.

In Europe,the level of awareness of I threats is generally very good.Most organisations know how to deal with viruses,spam,key-logging and other Internet threats.IDC believes that the vast majority of organisations are using,at the very least,antivirus or an antispam tools plus additional security features such as VPNs for remote connection backup and recovery for business continuity.However,this provides just basic protection and covers just half the danger. Threats today are agile,silent and very efficient,especially if organisations do not fully understand where the real threat lies.A single question that can help present the current situation is why have there been so few reports of widespread viruses over the past 12 months? Antivirus systems are certainly now quite effective,and the responsiveness and agility of detection systems reacting to large waves of self-reproductive viruses also improved. Furthermore,with the exception of poor security tools management,such as out of date

One of the biggest challenges in managing financial service organizations is the complexity of controlling user access to information resources. Some of these organizations have attempted to implement roles-based systems to address these challenges, but real-world experience have shown that unless roles fit into a context that ties together existing entitlements, company policies, regulatory requirements, and current business process realities, they simply don't work. Without this context, the result is a system that can't meet the demands of federal regulations such as the Sarbanes-Oxley Act (SOX) and Gramm-Leach-Bliley (GLB) Act in the U.S. or satisfy global measures such as Basel II/Solvency II capital-adequacy requirements and privacy regulations such as PCI, PIPEDA, CA SB 1386 and EU Data Directive. This paper describes a new roles-based model of access governance that overcomes the challenges ompanies have faced in the past and enables financial organizations to: *Deploy a policy

Understanding the trends and patterns of the past is the key to understanding the future, and security is no exception. The following security threat trends for 2008 have been assembled as a result of their frequency during security audits performed last year. These common and fundamental security issues typically arise from the same categorical underlying cause. Most organizations have had enough compliance audits and posses enough intuition of best practices to understand that security controls are necessary to mitigate risk. However, there continues to be significant discrepancy between what management believes the controls are doing and what the controls are -- in fact -- actually doing from a security standpoint. In short, controls have been deployed, but are not configured adequately, and just the mere existence of a control does not imply that the control is functioning adequately. Extremely subtle configuration problems can create critical risk on your network. The commonly hel

This paper discusses SAS70 audits and ISO certifications. To strengthen network security within your company, consider implementing combined standards of COBIT and ISO.

As the economy weakens, Internal Audit Directors, Audit Committee Members, Corporate Executives and General Counsel need to identify and address additional risks. Specifically, as basic necessities such as gas and food become increasingly more expensive, there is additional pressure on employees to misappropriate company assets and cash. If an employee is faced with a possible home foreclosure, corporate ethics and employee loyalty may become very unimportant. The bottom-line is that when food and shelter are threatened, employees may not have to mentally leap very far to rationalize taking company assets and cash. Sarbanes-Oxley (SOX) compliant organizations might be tempted to believe that their compliance efforts will adequately protect them from the increased risks presented by the current economic environment. While Sarbanes-Oxley has helped organizations reduce occupational fraud some, this white paper will demonstrate that there are still great opportunities for improvement. In

With Web 2.0 threats rendering today's most popular firewall technology basically obsolete, firewalls need to step up and tackle their task to protect public-facing assets like web applications. No longer are Web sites attacked only for the purposes of defacing the site to gain credibility among hacking peers, today it's about the money to be made for the bad guys in the distribution of malware and spam, and firewalls must be up to the challenge. Regulations like PCI DSS, the OWASP list of web application vulnerabilities and a recent study by Google confirms the need for web application security.

Junk postal mail is a nuisance for those who receive it, but it is limited by two important economic factors: a) junk mail costs something to produce and, as a result, b) senders of junk mail must achieve acceptable content-to-customer conversion rates in order to make the sending of their information economically worthwhile. The electronic equivalent of junk postal mail spam however, operates under no such economic constraints. Hundreds of millions of spam messages can be sent for a minimum investment and conversion rates can be extraordinarily low for spammers to turn a sizable profit. In fact, spammers can also The electronic equivalent of junk postal mail spam however, operates under no such economic constraints. Hundreds of millions of spam messages can be sent for a minimum investment and conversion rates can be extraordinarily low for spammers to turn a sizable profit.

This white paper explains what makes spam such an unbearable problem and how spamming tactics are evolving daily to beat anti-spam software. In the space of two months, spammers have switched from image spam to using PDF, Excel and ZIP file attachments. By using these attachments to send images instead of embedding them in the body of the email message, spammers have taken the cat-and-mouse game with anti-spam software developers to a new level.

This white paper explains what makes spam such an unbearable problem and how spamming tactics are evolving daily to beat anti-spam software. In the space of two months, spammers have switched from image spam to using PDF, Excel and ZIP file attachments. By using these attachments to send images instead of embedding them in the body of the email message, spammers have taken the cat-and-mouse game with anti-spam software developers to a new level.

This white paper explains what makes spam such an unbearable problem and how spamming tactics are evolving daily to beat anti-spam software. In the space of two months, spammers have switched from image spam to using PDF, Excel and ZIP file attachments. By using these attachments to send images instead of embedding them in the body of the email message, spammers have taken the cat-and-mouse game with anti-spam software developers to a new level.

This white paper explains what makes spam such an unbearable problem and how spamming tactics are evolving daily to beat anti-spam software. In the space of two months, spammers have switched from image spam to using PDF, Excel and ZIP file attachments. By using these attachments to send images instead of embedding them in the body of the email message, spammers have taken the cat-and-mouse game with anti-spam software developers to a new level.

This white paper explains what makes spam such an unbearable problem and how spamming tactics are evolving daily to beat anti-spam software. In the space of two months, spammers have switched from image spam to using PDF, Excel and ZIP file attachments. By using these attachments to send images instead of embedding them in the body of the email message, spammers have taken the cat-and-mouse game with anti-spam software developers to a new level.

This white paper explains what makes spam such an unbearable problem and how spamming tactics are evolving daily to beat anti-spam software. In the space of two months, spammers have switched from image spam to using PDF, Excel and ZIP file attachments. By using these attachments to send images instead of embedding them in the body of the email message, spammers have taken the cat-and-mouse game with anti-spam software developers to a new level.

Major credit card companies are pushing hard to stop the financial fraud incidents that have affected numerous organizations and their consumers. Consequently, organizations that accept payment card transactions are duly bound to comply to PCI DSS by end of 2007. Organizations that fail to comply, risk not being allowed to handle cardholder data and fines of up to $500,000 if the data is lost or stolen. This white paper examines the necessary requirements to adhere to PCI DSS, the implications of non-compliance as well as how effective event log management and network vulnerability management play a key role in achieving compliance.

The digital age in healthcare is unfolding with the promise of dramatically improving patient care. Through the use f advanced medical technologiessuch s diagnostic imaging and electronic record keepingproviders can offer better and faster diagnoses, reduce errors and protect vital information. But the promise of this new age is tempered by significant challenges for the IT infrastructure, particularly the data storage and retrieval systems that stand at the heart of he evolution. Digital imagery requires enormous amounts of storage,and demand for this exciting diagnostic tool continues to skyrocket. Medical practitioners need access to his data quickly and reliably in order to make accurate, timely diagnoses. And increasingly, new legal and regulatory environment has evolved, calling for longer retention of and better security over these ever-increasing amounts of patient information.

During the 80s, war dialing and phone phreaking were the attacks that garnered all the headlines. In the 90s it was all about web defacement and the ubiquitous email virus. The last seven years have given rise to identity data theft and privacy concerns. For the past twenty years, organizations have focused on protecting the network; but in the last ten years it has become clear that the core threat is not, nor really ever was, access to the network. The network is just a means to an end. The threat has always been access to the enterprises crown jewels: private data and the applications/ business functions that interact with that data. This is the Achilles heel of the enterprise today.

The threshold for PCI compliance is simply a minimum standard. Retailers recognize that failure to satisfy the Payment Card Industry Data Security Standard (PCI DSS) requirements and lead to financial penalties and leave the organization vulnerable to attack. The PCI standard has very specific requirements. No single product, procedure or policy can satisfy all of the requirements. As part of a total solution or PCI, Apani EpiForce can restrict access to cardholder data with logical security zoning and policy based encryption of data in motion. Logical security zones isolate systems that store, process or transmit cardholder data. For companies unable o encrypt credit ard data at rest, compensating ontrols may be considered. Compensating controls restrict access cardholder data with added security zones and policy based encryption of data in motion. EpiForce provides a solution to block the connectivity of unauthorized sers r devices and is n excellent option or achieving CI compensati

Fortrex Technologies, a Qualified Security Assessor (QSA) certified by the Payment Card Industry (PCI) to conduct Level 1 PCI data security assessments, identifies ways of using new technologies as a mitigating control for PCI-DSS compliance and to solve the issue of limiting the scope of an audit, and encrypting user names and passwords in transmission without the need to modify or rewrite applications. This white paper examines these technologies and endorses Apani EpiForce as a compensating control for PCI compliance.

Researchers with the Ponemon Institute found hat 595 of 00 85%)) IT executives and security officers indicated their businesses have experienced at least one known occurrence of a data security breach.Moreover,experts estimate between 70%and 80%of data security breaches are due to internal access to sensitive information. These alarming statistics illustrate that efforts to safeguard data must move beyond network security and data masking or encryption which can be circumvented by clever perpetrators on the inside. In fact, the number of data privacy and security breaches continues to be on the rise, despite growing regulations and software solutio ons that aim to prevent the average user from being able to view sensitive data.

The Sarbanes-Oxley Act represents one of the most far-reaching changes in U.S. securities law since the Great Depression. Its implementation and enforcement take place in a technological environment that has changed in ways unimaginable even a few decades ago. Enterprise Resource Planning (ERP) systems, and enterprise application systems in general, have automated manual processes spanning individual departments, locations even whole companies. And while the automation of these systems has increased employee productivity and enabled far-reaching strategic initiatives, the process has resulted in intricate systems that can be difficult to control, monitor and audit.

Scene: late 2004. Situation: dire. As part of its preparation for Sarbanes-Oxley Act (SOX) compliance, a large multi-billion dollar high-tech company faced likely citation by its external auditor for having significant material weaknesses in internal controls. The biggest area of exposure was the segregation of duties (SoD) in application roles and user access in and across more than 60 different systems in varying technical environments. The CFO, not willing to risk the companys financial reputation, internally estimated more than $100M in potentially lost market capitalization. The CFO mandated that all SoD violations be fully addressed in a little more than six months so that external auditors could start their testing efforts for 2005.

Many production plants are linked to the Internet and utilize standard software, which makes them a potential target for hackers. Siemens is making these systems more secure.Security experts at Siemens Corporate Technology use a model production facility to demonstrate how easy it is to compromise the security of some systems.

The business risks associated with providing users access to information resources include a broad array of potentially damaging events that are caused or made possible by inadequate governance. Such events range from relatively minor policy and compliance violations to disastrous business losses. The demands of regulatory compliance are among the factors driving corporate IT and security managers to improve their access governance processes, but the issues are broader and deeper than the scope of any regulation.

The increased demands of regulatory compliance are causing corporate business and IT security managers to review their access governance policies and procedures with an eye toward improving the efficiency and reliability of their systems,while reducing the complexity and cost associated with demonstrating compliance.Within many organizations,however,access governance is not viewed as a strategic issue and regulatory compliance is simply regarded as a sunk cost.This narrow perspective can obscure the true value of investing in technologies that strengthen,automate,and streamline access governance,enabling it to be sustainable.

*Insight on two-factor authentication credentials to help you decide on the best choice for your customer-base. Fortune 500 companies are increasingly discovering that stronger authentication options can result in decreased fraud costs, improved customer loyalty, a competitive advantage, and ultimately, higher top-line revenue potentials. *Insight on identity protection, authentication, and fraud detection services that enable enterprises to offer a more secure online experience with minimal consumer disruption.

Small and medium-sized enterprises can protect websites against application vulnerabilities with simple, easy-to-use, and affordable service. Firewall, Intrusion prevention and Detection System (IDS/IPS) are not enough to protect your Website against todays application vulnerabilities.

Since firms are being held to a higher standard of high availability, the challenge for most is to design server and storage systems that are truly continuous and that guard against unplanned downtime. That means high availability, long associated with application/system uptime, is evolving to include the service of data availability. Aberdeen uses two key performance criteria to distinguish Best in Class (BIC) companies that leverage a high availability strategy: the overall ability to recover critical applications within a short window and year-over-year improvement in ability to recover data.

To gain some clarity on the data protection market, Aberdeen group has embarked on a survey of end users, in different job roles and across numerous industry sectors, to gain insight into customer's data protection strategies. About 100 customers were surveyed and the results revealed that disaster recovery, business continuance and traditional backup/restore and legal discovery mandates make up the three top drivers behind customers' data protection strategies, while a whopping of 72% of the respondents surveyed cited a

As virus writers create increasingly sophisticated malicious code and find ever more effective methods to propagate,enterprises find themselves scrambling to keep their networks,servers,and end-user computers safe from new threats. Traditional anti-virus applications work by searching the contents of files and looking for a recognized pattern of data (a signature )that is the virus program itself.However,virus writers have come up with various methods to escape detection by changing their programs,making it harder for virus scanners to recognize them as viruses.Today s viruses are either polymophic or metamorphic and can actually change themselves as they propagate. The increasing sophistication of malicious code is therefore making pattern recognition technologies less and less effective.

Email has become the dominant form of business communication rivaling, if not exceeding,the importance of voice networks.Indeed,email has had such an extraordinary impact that,like the fax and ATM,it s hard to imagine life before its widespread adoption over the last decade.The very power of the medium has also attracted a disturbingly large and growing number of security threats spam,fraud,viruses,regulator y violations and intellectual property theft. The volume and sophistication of email security threats continues to grow at an unchecked pace.Most customers observe that as much as 90 percent of their incoming mail is invalid (spam,viruses,etc),and the total number of incoming messages is doubling ever y year,even if the number of employees stays constant.These email security threats are fueled by a powerful profit motive associated with spam,fraud and information theft.This creates resources that bring professional engineers into the business of developing new threats,fur ther

In Europe,the level of awareness of I threats is generally very good.Most organisations know how to deal with viruses,spam,key-logging and other Internet threats.IDC believes that the vast majority of organisations are using,at the very least,antivirus or an antispam tools plus additional security features such as VPNs for remote connection backup and recovery for business continuity.However,this provides just basic protection and covers just half the danger. Threats today are agile,silent and very efficient,especially if organisations do not fully understand where the real threat lies.A single question that can help present the current situation is why have there been so few reports of widespread viruses over the past 12 months? Antivirus systems are certainly now quite effective,and the responsiveness and agility of detection systems reacting to large waves of self-reproductive viruses also improved. Furthermore,with the exception of poor security tools management,such as out of date

Email and data security solutions are available in different deployment configurations, from hardware and virtual appliances to software. Another option,

For any business handling sensitive credit card information, compliance with PCI DSS requirements is absolutely critical. And with the newest security requirements taking effect June 30, 2008, you need to move quickly. Here's some help -- a complimentary guide sponsored by Citrix which helps you achieve the latest PCI DSS security mandates. You'll get practical insight to ensure your success, including: The newest security measures you must have in place by June 30, 2008 6 key recommendations to ensure ongoing PCI DSS compliance How to deploy a security solution that also increases Web app performance and availability, plus cuts overall costs Don't delay -- June 30 will be here before you know it, and some non-compliance fines have increased by more than 25% over the last year.

Data deduplication has the potential to fundamentally change the economics of data protection by providing unparalleled rewards to users. However, every data deduplication solution is different and you must take the time to evaluate your environment and needs. This requires you to cut through the data deduplication hype and find out the truth about data deduplication product offerings. Use this white paper as a reference guide for learning about the background of data deduplication and tips assessing different solutions. Read this white paper for insight on important topics, such as: * The purpose of data deduplication * The principles of data deduplication * Common myths and pitfalls to be aware of * Recommendations for evaluating data deduplication solutions

Remediation of network vulnerabilities before exploits strike is the golden ideal for every organization. Proactive remediation strengthens security by removing the exploitability of assets. This is the safest of all states, and helps to ease traditional reliance as the primary protection against hackers and other network-borne threats.Documentation of regular,ongoing vulnerability remediation is also a common network security requirement of laws and regulations such as PCI, GLBA and HIPAA.

Trends in enforcement and the potential of new regulations make a strong case for healthcare provideres to conduct preemptive assessments and audits of Privacy and Security compliance with HIPAA.

Court rulings and enforcement activity emphasize importance of compliance.