The Perils of Non-Compliance

Nov 13 2011 10:44:14 PM Posted By : jeffersonjaikar
Share this article: Tweet this Connect with Facebook Add to Digg Stumble it

The word ‘compliance’ has come a long way in the English dictionary. It might have started as yet another addition to the vocabulary, but now the image it conjures up – little would have the people who coined this word foreseen this evolution.

SOX, HIPAA, PCI, FISMA, GLBA… and considering the probability of the future Enrons, this list is only expected to grow. However, since many organizations have taken active steps to adhere to the compliance-rules, transactions on the web have become a lot safer than they used to be! Companies will surely not want to take the risk of being non-compliant…not if they have to face dire consequences!

You’ll have to face those dubious ‘CNN moments,’ where you’ll need to parade in front of the camera for the whole nation to scorn you. As a consequence, you’ll lose out on a large chunk of customers – who’ll want to project themselves as a victim of fraud!?! If you are a larger organization, the impact is even worse – the shareholders pull-out as their value will drop. This will, in the worst case, mean an abrupt closing of your business! Non-compliance triggers a domino-effect of events that never seem to stop!!

Additionally, there are consequences (of relatively less intensity) like paying thousands of dollars as penalty, and having a tough time fighting the Government to safeguard your dignity (and that too…by paying a lawyer!), or even worse, ending up in the prison!

Amidst all the above mentioned , be assured that being compliant and establishing compliance is not conversely difficult as the consequences seem…not if compliance becomes an everyday activity rather than a one-time task! If all access logs and financial data are maintained and audited regularly, there’s no need to ‘comply’ all of a sudden! It’s just there when you need it! Compliance is more like a set of rules that streamline the flow of financial audit process and strengthen data-security. It may seem that (if not caught red-handed), things do go well for the organization…but it’s always safer and better to be compliant – because it ultimately boils down to data-security!

Now comes that really achy part – establishing compliance; a situation more like ‘Water Water all around, and not a drop to drink.’ If you’ve been compliant all year long and you need to establish compliance, all you need is comprehensive software that will collate the data and generate neat reports that will establish compliance. There are tools that cater to specific compliance requirements, and also ones that deal with everything – SOX, HIPAA, PCI, GLBA and FISMA!

Throw away all your compliance woes folks! There’s nothing to it beyond being diligent in maintaining your financial records and being able to prove you’ve done so!!

Why IT Matters

Nov 04 2011 12:53:00 PM Posted By : Raj Sabhlok
Share this article: Tweet this Connect with Facebook Add to Digg Stumble it


When I was in business school in the late 1990's, we learned about Total-Factor Productivity (TFP). That’s the factor or coefficient that, when combined with labor and capital, equates to total output. TFP is an intangible, but it is thought to be anything from better human capital skills to technology (IT).

 

I bring up this old memory because there was a debate at the time among economists as to how big a role IT played in overall productivity gains and thereby total output for an entity or even GDP. I'm no economist, but I think the answer is pretty obvious today. Again, without anything to cite other than common sense and simple observation, I think future historians and economists will look back and consider the information age as every bit as important as the industrial revolution. When you think about the ability to process information rapidly, to store and retrieve data, to communicate instantaneously, and to optimize manufacturing processes (or, for that matter, to optimize nearly any business process though the application of IT), is it really possible to view the past 30 years as other than revolutionary?

 

Nearly every aspect of our lives has changed for the better because of technology. Whether it be a GPS-guided car ride, the rapid check-out at the grocery store (today it is self-check out!), or purchasing an airline ticket, nearly everything is more efficient. I won't even get into how Apple alone has enhanced our everyday lives with the iPhone and iPad and the related apps! The fact is, the more we invest in technology, and the quicker we can harness its power, the more productive we can become.

 

As I recall, the debate about how much technology contributed to productivity was related to the cost of IT and the ramp-up related to deploying new technology. While these factors may prolong the return-on-investment, there can be no doubt to the eventual gains in productivity. Organizations are highly optimized today because of technology. On balance, they are more profitable because of technology and the related productivity gains.

 

To be sure, IT has also led to lost jobs. IT automation and globalization have eliminated the need for millions of jobs in the U.S. and elsewhere--but the same observation could be made about the industrial revolution: Think of how many weavers and tailors were forced to reinvent themselves when the mills optimized the production of textiles. The nature of revolutions is that societies change; old ways are abandoned and new ways are adopted. While some industries, manufacturing in particular, have suffered (in terms of net jobs) as a result of IT, I do believe that other industries--particularly the IT sector--have flourished. Still others will flourish too as more entrepreneurs find new ways to use IT to do new things - but, that is another blog!

 

In the early days of the technology revolution (1980's - 1990's), the cost of adopting and  deploying technology were high. The technology needed to mature. Economies of scale, which could drive down technology costs and make technology more mainstream, had yet to be achieved. And, keep in mind that back in the ‘80s people spoke of “business re-engineering” projects in terms of months and years of effort--and this was the conversation among the technically savvy people. Back in the ‘80s and ‘90s, it took a long time for productivity to improve because it took a long time to deploy the technology. Some people didn’t want to embrace technology, so that complicated factors and could, in some cases, increase the costs and delays of deploying technology.

 

So much of that is different today. We can deploy technology faster and at far lower costs. People are far more accustomed to using technology--particularly younger workers, who have grown up in a world where technology is common. Indeed, we’re fast approaching the point where the users of technology are moving ahead of the IT organizations tasked with managing and maintaining the technology. In more and more organizations, people are walking through the doors with iPhones and iPads; they’re connecting and collaborating in ways that their IT organizations have no control over. From a personal productivity standpoint, that’s exciting. Moreover, it’s exciting from an overall organizational standpoint: the more productive the people within the organization are, the more productive the organization can be.

 

But it’s all maddening for the IT organization. They’re the ones who are struggling to keep up. They’re the ones that feel like they’re falling behind. They, who used to define what it meant to be cutting edge, are feeling dull.

 

What’s the solution for an IT organization? Do what you really do best: Use technology to better harness the power of technology. IT organizations need to find ways to make use of the lean, cutting-edge tools and service delivery modalities to facilitate the delivery of IT services. Once you can figure out how to improve the productivity of the IT organization itself, you have more time to focus on how you can use IT to improve the productivity of the broader organization. 

 

In the end, IT is all about boosting TFP -- at the personal level, at the level of the IT organization, and, ultimately, at the level of the enterprise itself.


Raj


IT's New Reality

Oct 04 2011 03:42:30 PM Posted By : Raj Sabhlok
Share this article: Tweet this Connect with Facebook Add to Digg Stumble it
Jason Hiner over at TechRepublic wrote a blog the other day entitled What the IT department will look like in 2015. He’s got some interesting views: IT departments will be smaller, more decentralized, rely on more consultants, and focus their resources “on software, the cloud, and mobile devices,” he writes.

Where I take issue with what he writes is in the general expectation that IT departments are going to devolve into a smaller organization of significantly lesser importance within the organization. The real challenge--and the real opportunity--for IT leaders is harness the potential of IT to the evolution of the business. I agree with Hiner when he says that IT is going to focus on software, the cloud, and mobile devices--but they’re not merely going to be ensuring that software in the cloud runs properly and that mobile devices are properly tracked and connected. They’re going to be focusing on how the combination of software, the cloud, and mobile devices can enable the organization to operate in a completely new way, how it can engage customers more effectively, compete more effectively, open new markets, and more.

The IT manager that can facilitate this kind of business transformation is going to earn him or herself a place at the table where the big decisions about the future of the organization are made. Indeed, the IT department’s ability to enable business transformation through software, the cloud, and mobile devices is going to elevate the importance of IT. It may be smaller and leaner, and yes it will rely on automation and outsourced service suppliers to take care of the mundane issues--but it could play a far more important role than ever before.

I want to emphasize could. IT can only take a seat at the Big Table, can only be seen as a peer in the creation of business strategy, if it can get its arms around the challenges posed by software, the cloud, and mobile devices today. IT leaders around the world want to think strategically, want to bring their knowledge of the potential of technology to those business discussions, but rarely do they have time. Their organizations are up to their eyebrows in the mundane tasks. They need to deploy tools to automate more effectively.They need tools to help them deliver their own services more efficiently and effectively. They need to know how to support the plethora of mobile devices that are emerging everywhere--and they need to know how to make the most of those mobile devices themselves in order to deliver their own services more efficiently and effectively.

This is at the heart of what we at ManageEngine think of as real-time IT. It’s the ability to manage the day to day tasks more effectively, the ability to deliver IT services more efficiently and responsively. Only when an IT organization can do this can it legitimately claim that seat at the Big Table.

So that’s where we see IT going, and that’s why we’re focusing on building the tools that IT organizations need to operate more efficiently and effectively. That vision of real time IT drives everything we do. I agree with Hiner when he says that IT organizations are going to be smaller and that their work will be very different. But I also see potential for huge gains for IT in terms of visibility and importance. For those IT organizations that succeed today in streamlining their operations and getting an upper hand on the IT chaos in their organizations, 2015 could be a very good year indeed.

Raj
Share this article: Tweet this Connect with Facebook Add to Digg Stumble it

I had a lot of fun talking to Michael Dortch recently. For those of you who don’t know Michael, he’s a charismatic IT analyst who has a great perspective on IT and who likes to share it. The man’s one of the toptweeting IT analysts and has written extensively about IT infrastructure, collaboration, and cloud computing — all of which are right up our alley at Zoho and ManageEngine.

So Michael came to Pleasanton, and we talked about what is on the minds of IT managers today. Feeling Dickensian, we agreed that it is both the best of times and the worst of times for IT managers. A lot of exciting technology is making its way into business, and some of those technologies — mobile tech like smartphones and tablets, and social tech like Twitter and Facebook — are game changers. Some have introduced dramatically improved levels of productivity; others have changed entire business models.

That’s the best-of-times view.

The worst-of-times view takes in these same game-changing technologies but looks at them from the perspective of IT professionals struggling to deal with them. How do we incorporate them into our infrastructure? How do we manage them for the enterprise? How can we make the most of them ourselves to deliver IT services more effectively and play a larger role in the delivery of value to the business and our customers?

Sure, CIO’s are all talking about using technology to grow their businesses, improve service delivery, align more effectively with business units, become more agile, establish a common language between IT and business groups, and so on. Wow, sounds good, right? But now, turn your gaze away from the big screen. Pay attention to your colleagues behind the curtain — the ones in charge of keeping the server lights green and the networks up and running. “It sounds nice,” they mutter, “but it’s not going to happen at the pace that it should.”

Why not? Well, as most industry analysts indicate and discussions with IT professionals validate, it comes down to budget and hours in the day. Most analysts say that 60-85 percent of IT budget dollars are spent on “keeping what they have working and making what they have work together.” Not surprisingly, IT professionals spend about the same percentage of their time on the management and maintenance of existing technologies and projects — leaving virtually no time to execute the forward-thinking vision of the CIO.

Michael and I reached the conclusion that until IT organizations can get their arms around the technology they already have and until they can drive down the maintenance costs, the cool new stuff will take a backseat. It’s a bit of a catch-22, sadly: The new technologies may very well contribute to greater productivity and lower costs but only if the IT organization can find time to explore them, envision and test new business and service delivery models, and then deploy those technologies — which, of course, they can’t do until they can free up some time.

It would be great to get a larger population of IT professionals to weigh in on this topic. Let us know: Are you able to adopt new technologies fast enough? And if not, why not?

Raj


 

Lessons from Sony PSN breach

May 11 2011 03:15:27 AM Posted By : Ragavan S
Share this article: Tweet this Connect with Facebook Add to Digg Stumble it
The breach at Sony Play Station Network (PSN) breach creates a lot of doubts in the IT Security manager's mind. We can take our lessons from the breach. Because it is smarter to learn from others mistakes.

Right.

Don't think your company is too small or big for an attack!

Don't be in a state of optimistic illusion. Any company's IT assets can be attacked, irrespective of its size. The recent attack shows that it is not even limited to certain industries like banking etc. Suppose, if you are in an entertainment or gaming industry, that in no way allows you to soft pedal security measures. For any industry, customer data is god. Don't get scared but be prepared to face it.

Get back to basics!

Do not ignore the basics of security. All the aspects of security physical, personnel, data and IT resources need to be covered. Ensure controlled physical access. Train your employees and cultivate the security awareness. Deploy Firewall, Proxy and other necessary security devices in your environment to secure the enterprise/customer data and IT resources.

Adopt advanced techniques to stay ahead!  

Carry out periodical check for physical security. Ensure the personnel are adhering to the security policies. Monitor their network activity. Verify the effectiveness of the security devices periodically. Use appropriate monitoring tools to keep 24 hours continuous vigil on these devices for clues about attacks and other threats. Saving your customer data is of paramount importance, as your in-business and out-of-business hinges on that.

Ensure that the statutory regulations are complied with. This will also ensure minimal security mandated.

Plan your security measures in advance and get it implemented. Formulate IT security policies for your enterprise and ensure that the policies are complied in letter and spirit.

Put your lessons into practice and get IT secured.

ManageEngine offers a host tools for security management. EventLog Analyzer and Firewall Analyzer are good for internal and external security monitoring. For other tools visit ManageEngine website.  
Share this article: Tweet this Connect with Facebook Add to Digg Stumble it
No, PCI DSS compliance may not be limited to Banking and Payment Card companies. It may be enforced for any company handling customer credit card data. You can see now, even Sony PlayStation network is attacked and data thieves have stolen a large amount of customer credit card data.

This is not to scare the companies, but to educate about customer data security. Data thefts may not stop in the near future and get restricted to only one set of companies. The thieves may shift the target one set of companies to the other set. They will look out for credit card data, irrespective of the type of company they breach. Your company should not become a victim. This is what Visa executive has to say about the recent Sony PlayStation network data breach.

Small and medium companies are not afford to take chance and go out of business. As the adage 'Prevention is better than cure' goes, be wise to prevent. Set your security policy fool proof and get it implemented. Get compliant with regulations like PCI DSS to reduce your risk of customer data theft.
ManageEngine EventLog Analyzer offers pre-built compliance reports for PCI DSS as part of the security offering to fortify your network security. Have a look at it.
Share this article: Tweet this Connect with Facebook Add to Digg Stumble it

T​he current dynamic IT scenario ascertains the importance of security logs because of the rise in hackers activities. The resultant requirement is an event log management tool to detect security issues within your network. Massive data in gigabytes are likely to appear per day that are irrelevant; until critically analyzed to confirm network security is error-free. Event log management comes prior to any other measures you may have considered for security reasons. It is not an opinion but an enforcing factor for ensuring security and growing auditing concerns.

Security Event Log Management Checklist

Before zeroing down on any of the event log management software application, it is crucial to know if it serves as the correct solution to your unique security demands, is it cost-effective? What would be the exact features and role of the event log management solution in your company? Overall, review the event log management solution on the following parameters: 

Easy to Use Reports

It should most importantly, bring about convenience in reviewing security information with an easy,comprehensible report structure providing summarized view of the security data. Additionally, the data management by the event log management tool should be such that, a quick insight into the security-related information is possible and analytical. T​ he reports should give an overview on the top event reports on logon, logoff attempts, alerts and system users that are of high relevance to the administrator and the enterprise management.

D​etecting Threats by Tracking Down the History of their Occurrences

T​he event logging tool should be able to provide trend analysis so as to bring about the disguised threats in spotlight. T​ o derive an implication on specific pattern of events, the event log tool should be in a position to present a visual representation of the updated factual security information.

The Archiving Feature, Storage Capacity

Y​our event log tool should be scalable enough to include heavy amount of log data​ and store this for a longer, required period of time to be available for forensic investigation; in case a security incident occurs within the organization.

Supporting Systems and Formats

The event log tool should be compatible with any given log source, supporting Security Issues in Network Event Logging Standard (syslog),Windows, W3C web server, proxies and applications as well. The IBM AIX, Sun Solaris BSM) UNIX logs and any devices from CISCO (routers & switches), Junifer and others, too, should be monitored and logs collected and analyzed from these systems. So, basically, it has to accept log data from heterogeneous sources in variety of formats.

Role of an Event Log Application

Should collect, archive, correlate and analyze security log files. It should be a reliable, cost-effective and an integrated solution for compliance, IT operations and security concerns.
Share this article: Tweet this Connect with Facebook Add to Digg Stumble it

Why compliance audits?

Let us not narrow our perception to the IT systems alone...but with IT infrastructure as a broad term. Auditing has a purpose. Tracking activities within the systems is important for system security but most importantly, it is a priority for data security. Towards a secured IT data within an organization, auditing requires not just protection but assurance of continuous protection.

Auditing: Hard-and-Fast, Stringently Enforced Rule

Compliance audit calls for both: event logging and log reviewing. However, it is witnessed that only for the sake of being compliant to the regulatory acts, to which they are legally bound, companies are willing to opt for event log inspection. But minus log reviewing and analyzing, an event log application is a mere security camera recording with evidence, but no crime patrol. It is like gathering information on the confidential data loot but no eyes to see.

Why spend on an event log management tool that serves compliance log management?

Simple! Since it is a source of evidence, assurance, and most importantly, an investment measure.

Source of evidence, in terms of providing timely information, objective news and proving as a witness required to resolve confidential data theft issues.

Assurance of continuous monitoring and alerting functionality that assists in situational awareness for appropriate handling of the situation. An event log application acts as an identifier of threats.

Investment in investigation of inappropriate behavior within the systems through an event log analyzer that analyzes logs and provides an insight into the events captured in logs. Investment because an event log application, like a lie detector, is a threat detector that locks security incidents, assists in preventing policy breaches and avoids getting duped by any trickster or hacker, assists in rectifying operational errors. 

Tips from the Auditor's Perspective:

  • Your event log tool should continuously trail for events and retain the logs originality. Logs that are protected from any kind of manipulation serve as a quality assurance to the auditors and mark as a good compliance log management practice. 
  • The log reporting structure should be compatible and comprehensive to human understanding. It should be systematically presented with indexes to locate the trends and behavior of activities that occurred within the infrastructure. 
  • It is important to learn what kind of logs correspond to the compliance log management requirements that your organization is to abide with. Accordingly, your reports should introduce event logs with appropriate categorization of events. Using an advanced event log tool, you can customize the inbuilt reporting structure to match the compliance log management and audit needs.
  • Compliance audit aims at requiring the operating systems, a home to personally identifiable information (PII), to record any network issues.


Plan of Action: is to not only meet regulatory compliance standards but also stay confirmed about secured IT operations within the network as a part of compliance log management. As a step to satisfy these needs, you require EventLog Analyzer as your log management tool. Opting for EventLog Analyzer, you can achieve event normalization. In other words, you can get rid of the formatting issues that could result in a Windows Vista event log file being unreadable on Windows XP systems. The tool supports EVT and EVTX log format.

What exact information are the auditors looking for?

  • Study of the process involved in following corporate policies and set compliance standards and whether or not these procedures are in sync with the applications and the operating systems within the network
  • Recordings of security updates and host users have a place in the event logs
  • Detailed analysis and storage of information on any changes or revision in the applications and systems including: user responsible for modification, the when and what changes have taken place and the cause for the modification, logon-logoff attempts, date and time, effective from and on which data files or network resources

To conclude, every IT organization for security of systems, servers and overall network environment should be acknowledged on the legal requirements and the risks involved in not applying EventLog Analyzer tool as a means to achieve compliance log management. These risks include:incurring expenses on the name of penalty for customer credentials theft, data breaches, and unable to abide by the regulatory standards set by the government. If you feel your organization is safe with current tools, it is time you know that the security concerns are very high with the high-tech hackers on prowl, awaiting for a loop hole in your network. Your IT infrastructure might not be as safe as you think it to be! 


"Who will guard the guards"?

Aug 03 2010 05:16:03 AM Posted By : Shri Shankar
Share this article: Tweet this Connect with Facebook Add to Digg Stumble it

Russel, a chief security officer for a renowned enterprise is one of EventLog Analyzer customers.  Recently we had a quick review of his EventLog Analyzer deployment. One of the requirements that makes our hay shine is 'User based activity' reports on EventLog Analyzer.

User activity reports offer an enterprise to check various security related transactions done by users in an enterprise’s IT network.  This report enables the IT manager to carry out PUMA audit on privileged users with various rights, and end results of their transactions.

Before EventLog Analyzer deployment, Russell was initially worried because, quite a number of failed logons were done by his Administrators.

“An Administrator’s One Failed log- on event on one server is acceptable, but One Failed log-on event on a couple of servers at the same time, by a privileged user is ‘Anomaly’, and you need a top priority attention to nail down this user”.  

User Activity reports or Privilege User Monitoring & Auditing on EventLog Analyzer is intended with this scenario in mind.  Combination of host wise user activity, and user vise host activity, along with notification profiles easily offered him to track the source of such transactions.

Now, he can log off peacefully at the end of the day, as he got the answer for his valid question on internal security.

“Quis custodiet ipsos custodies”?

     


Ask me in EventLog Analyzer.

Apr 09 2010 07:05:50 AM Posted By : Shri Shankar
Share this article: Tweet this Connect with Facebook Add to Digg Stumble it


IT Manager /CXO of an enterprise are responsible to manage all IT infrastructure of an enterprise. This includes a vigorous update on the status of various security threats posed by internal users in their enterprise, and have a vital eye on various internal transactions carried out. It makes them to demand summary reports on important IT resources from their team, which includes specific stern events.

Such requirements are often delegated to system administrators and other IT staff, who supply IT managers with these specific reports. Mostly the information a CXO requires are Bird’s eye view of

  • Network security status for the complete enterprise
  • Overall compliance status and related remediation /configuration changes done.

System Administrators, on the contrary always like to appraise themselves on the various events that are carried out in their enterprise servers, which includes application events, security events and system events.   This requires them to monitor user activity, usage of servers, and carry out necessary configuration changes.

Event logs from various IT resources are used by Sysadmin community to achieve this purpose. Using event logs, one can easily follow wall out procedures for effective troubleshooting, and reap faster remediation. The aggregated information and reports from the System Administrators help IT managers to determine the above said points.  

EventLog Analyzer is an industry favorite tool, which provides effective solutions for this community to be at ease.  The power packed feature set in EventLog Analyzer enables its users to create any number of custom reports based on any specific requirements, by using a couple of mouse clicks.

It has a built in feature called as Ask ME, that bears some high level set of questions based on various events collected from the monitored hosts.   These are some common FAQ’s for any enterprise’s IT team, where you click on your relevant question and get the answer.

You can create your own custom questions apart from our canned questions, and include them into EventLog Analyzer Ask ME tab.  Using this feature, a system administrator can create a custom report profile that interests his CXO, and integrate this question into the ASK me tab.  

Try this out by following the steps given in the link below:

http://www.manageengine.com/products/eventlog/help/eventlog-misc/add-questions-askme.html

IT mangers can login to the user interface of EventLog Analyzer application, and get the required summary reports in real time.

After all, analytical summary data are meant for the managerial hats, and drill down exercises are vital for the engineering team.