IT Best Practices and Compliance Reporting Information

The impending release of the third version of the IT Infrastructure Library has a lot of people talking.

A recent edition of CIO offers  a story by Laurianne McLaughlin that serves as a good primer on the history of ITIL, the current version, and what improvements can be expected when the next version is released in June.

To boil it down, the article talks about ITIL being somewhat pigeon-holed as a best-practices framework for solving specific operational needs, as opposed to a strategic tool for adding business value through improved service delivery.

One of the flaws with the current version of ITIL in the eyes of people like Lee Hayes, vice president of enterprise technologies at SLM, the mortgage lender known as Sallie Mae, is it is "very descriptive, but not prescriptive."

The U.K Office of Government Commerce (ITIL's creator) hopes to remedy complaints like those with the new version. Trimmed down from the current eight books to just five core books, the updated version boasts more real-world examples, best-practice models and metrics - and emphasizes the entire IT lifecycle and ROI issues. The new version also addresses how to apply ITIL principles in outsourced operations, a growing facet of today's IT operations.

According to independent ITIL consultant Malcolm Fry, one of the benefits of implementing an ITIL framework is the ability to get to the bottom of an IT problem. "Looking for root causes is now important - you just can't keep fixing things," he said.

Overall, as George Spalding, a vice president for the consultancy Pink Elephant, stated, "ITIL drives the strategic direction that IT is about services, and it provides a definition of success."

If you are among the more than 97% of organizations that are either considering or are engaged in implementing the ITIL framework, the improvements in the third version should provide the additional guidance necessary to further accelerate your efforts.

I've taken a couple opportunities to express my concerns with the Real ID Law.

Wilson Dizard III shared this list in a recent edition of Government Computer News that I felt was worth sharing with you.

Ten Top Real ID Complaints

The Real ID law has met with a fusillade of criticism from state and federal lawmakers, privacy advocates, state executive branch officials and commentators. Opponents have cited dozens of potential technical problems, including:

10. Only one of the five national systems that state motor vehicle departments will need to implement the Real ID law is currently ready, according to the National Governors Association. DHS itself concedes that some federal “reference databases” aren’t yet complete.

9. Real ID calls for states to use a single array of security features for driver’s license cards, which could force states to abandon existing card issuance systems.

8. The federal government lacks a uniform naming convention that would facilitate states’ electronic verification between files.

7. The door remains open for creation of a de facto national identity database.

6. The draft Real ID rule doesn’t include a redress process, which likely will become a technical as well as a policy issue, because thousands of people now have driver’s licenses with faulty data.

5. The draft doesn’t require that data on the license’s machine-readable zone (MRZ) be encrypted. DHS has said that distributing encryption keys, or a single, common key to the 16,000 state and local law enforcement agencies that will need access to the MRZ data would pose an unacceptable challenge. The department said it would favor MRZ encryption if the practical problems could be solved and raised the possibility that the MRZ shouldn’t include the bearer’s address.

4. Some critics charge that Real ID magnifies privacy risks, partly by shirking the requirement that federally sponsored systems meet the standards of the Federal Information Security Management Act. The draft rule states that it doesn’t create a national database because it leaves the interstate data exchange decisions to the DMVs. That statement prompted Jim Harper, director of information policy studies for the Cato Institute, to posit that DHS was saying, “My car didn’t hit you—the bumper did.”

3. DHS has failed to require that the MRZ omit the race identifier field.

2. Real ID fails to take advantage of identity verification processes the federal government already carries out when it issues passports, military IDs, Transportation Worker Identification Cards and some federal employee credentials. The National Conference of State Legislatures has asked why, if individuals holding such documents can already board an airliner, they should be checked again to get a driver’s license.

1. Technical challenges, such as the apparently inadvertent omission of several categories of legal residents eligible for the credentials and the high cost to states of complying with the law, have spurred a vigorous rejection campaign in state capitals. Idaho and Maine already have enacted laws rejecting the Real ID requirements, and similar legislation is pending in dozens of additional states.

I'd like to hear your comments, pro or con, on this law.

In my post earlier this week on the latest FISMA ranks, I referenced a quote by Virginia Rep. Tom Davis.

He posted further comments on the Hill Blog Monday that are worth reading. He lets the Department of Homeland Security off the hook a bit, but really expresses frustration with the Department of Defense.

Good to hear directly from our legislators, rather than in a press clipping.

Today is tax day in the United States. Procrastinators will be spending time wrapping up their returns, either on-line or racing to the local post office.

But, is the information you provide the IRS secure?

According to a recent article in Computerworld, your information is probably not as protected as we'd like to think. "In an audit by the Treasury Inspector General for Tax Administration, found that between January 2, 2003, and June 13, 2006, a 'large number' of laptops were stolen from the vehicles and homes of IRS employees, while 111 were stolen from various agency facilities", according to the story.

A separate test on laptop computers currently in use by employees found 44% contained unencrypted sensitive data, including taxpayer data and employee personnel data. Most disappointing is these findings mirror those found in a similar July 2003 report.

As the report indicated, "the IRS had not taken adequate corrective actions." The article includes a response from IRS Commissioner Mark Everson where he says, "Our systems have extensive protection from outside penetration", but that seems to indicate a failure to recognize the threat of not only laptops theft, but other insider data threats.

The IRS expects a great deal from taxpayers when we prepare our returns. It's time for taxpayers to expect more from the IRS when it comes to protecting our privileged information.

The latest grades are out for the Federal Government when it comes to information security. According to Government Technology, Rep. Tom Davis, ranking member of the House Government Oversight and Reform Committee, gave the federal government an overall grade of C-minus when it comes to safekeeping information on government computer systems. After being mired with D's for the past three years, a C- shows some improvement, but still leaves a lot of room for growth.

While the Department of Justice and the Department of Housing and Urban Development showed the most improvement, with Justice jumping from a D to an A-minus, and HUD from D-plus to A-plus, there were also some significant declines. NASA fell from B-minus to D-minus and the Department of Education, which fell from C-minus to F.

As Rep. Mike Turner, ranking member of the Information Policy, Census and National Archives subcommittee, said in the Government Technology article, "It's troubling that some of the agencies with the most sensitive information continue to score poorly on this. The report identifies problems in federal agencies which include the Department of Defense, the Department of State, and the Nuclear Regulatory Commission."

However, on closer inspection, two of the biggest grade improvements came as a result of simply documenting the inventory of systems. You'd think this was a very elementary step to take for securing sensitive data.

As the article points out, "more improvement is needed in how systems are configured from a security standpoint and for training for employees with significant information security responsibilities."

Nobody in government IT should be satisfied with this improvement. Average compliance scores are one thing, but they most likely mean better than average vulnerability to exploits.

According to headlines on ComputerWorld yesterday, the largest spam attack in the past year is well underway.

"Arriving with subject headings touting Worm Alert!, Worm Detected, Spyware Detected!, Virus Activity Detected!, the spam carries a ZIP file attachment posing as a patch necessary to ward off the bogus attack. The ZIP file, which is password protected -- the password is included in the message to further dupe recipients -- actually contains a variant of the "Storm Trojan" worm, which installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers," according to the article by Gregg Keizer.

Postini has already counted nearly 5 million copies of the spam in the last 24 hours, and calculated that the run currently accounts for 87% of all malware being spread through e-mail. Spam rates have jumped as well; Postini said 79% of all e-mail is now spam, according to Adam Swidler, senior manager of solutions marketing at Postini, who was quoted in the article.

This attack is certainly a good reminder that systems need to have anti-virus and anti-spam software installed and operating, but, perhaps even more than that, it's a great reminder to use common sense and don't open emails or attachments unless you know their source. 

The Health Insurance Portability and Accountability Act, better known by its acronym (HIPAA), was passed by Congress way back in 1996. Yet, in spite of its being on the record books as long or longer than almost any other major regulatory compliance mandate facing IT departments, it has clearly been the proverbial "red-headed stepchild" when it comes to enforcement.

The Office of Civil Rights is actually tasked with enforcement of the law. According to a post by Rebecca Herold, "The Department of Health and Human Services (HHS) Department Office of Inspector General (OIG) appears to be making movement on their promise in their Fiscal Year 2007 Work Plan to 'review HIPAA privacy and security implementation under Medicare and Medicaid to identify key issues in the HHS information technology initiative.'"

Herold cites two references in the April 9 issue of Privacy and Law Report, from the Bureau of National Affairs (BNA, a subscriber site) as potential signs of increased enforcement. The report states auditors will reportedly assess Piedmont' Hospital in Atlanta's compliance with the HIPAA security rule and indicates the Centers for Medicare & Medicaid Services (CMS) are also planning increased enforcement.

Yet, in the same post, Herold shares these paltry statistics from the Office forCivil Rights, the governing body responsible for HIPAA enforcement. "Through February 28 [the department] had closed 77% of the 25,662 complaints it had received. The OCR referred 373 of the complaints to the Justice Department for criminal investigation."

If my math serves me correctly, that means that, of the nearly 20,000 complaints the OCR "investigated", less than 2% were worth further action?  COME ON!!

Oh, and why is Health and Human Services promising any improvements if it's up to the Office of Civil Rights is the one that has got to be the ones to step up and make improvements in enforcement?

Sounds like a pretty empty promise to me.

Many companies are still taking a "wait and see" attitude on upgrading their Microsoft desktops and laptops to the Vista operating system. The most heavily touted improvements in Vista are focused around security.

We've all seen the Apple commercial poking fun at the constant security-related questions asked in Vista. So, what is the scoop on Vista security? Is it an improvement? Where does it still have room to improve.

This month's ISSA Journal has the first of a multi-part overview of Windows Vista Security from Edward Ray and E. Eugene Schultz. The first installment focuses on User Account Control (UAC), Windows Defender, and Windows Firewall.

With UAC, Windows Vista provides a method of separating Standard user privileges and tasks from those requiring Administrative access. According to Ray and Schultz, while this feature is not quite as good as simply logging on as a normal user, it is an additional layer of protection previously unavailable in Windows XP or Windows Server 2003.

One drawback to the UAC feature is it requires every interaction involving installation or execution of external code to be approved whether is was initiated by the user or a potentially malicious website. This leads users to face a litany of boxes to click continue or reject. Meanwhile, all other access freezes and the screen darkens until you've completely gone through the series of dialogue boxes. Pretty annoying, especially if you're the user trying to get something installed.

Windows Defender, also available for use with Windows XP or 2003, helps protect against pop-up ads, slow performance, and security threats due to spyware, adware, keyloggers and other unwanted software. Defender monitors in real time protected areas within the Windows Vista operating system that this unwanted intruder software targets, such as the Startup folder and the Autorun entries in the registry. However, in a test using a sample set of 25 spyware and malicious code samples, Defender failed to identify 84% of them. Organizations should in no way consider Windows Defender a substitute for third-party anti-spyware solutions.

Windows Firewall, the third area Ray and Schultz focused on, is configured by default in Vista to help protect user's computers as soon as Windows Vista boots. Unlike Windows XP, the Vista firewall can restrict both inbound and outbound traffic, although outbound filtering needs to be configured manually or using Group Policy. Like Windows Defender, Windows Firewall should be seen as a complement to third-party solutions, not a replacement.

Lisa Vaas has addressed these concerns in articles of the print edition of eWeek. March 5th, in an article entitled "Vista's security called into question", she wrote about how social engineering can derail the effectiveness of the UAC. In the March 19th edition, she addressed all of the security features mentioned in "Will Vista Swat Bugs?" She also touched on the Windows Security Center and BitLocker Drive Encryption.

As Ray and Schultz point out, Microsoft is moving in the right direction with Vista, but there are still questions. The biggest challenge is usability. Will the myriad of security prompts lead users to opt out of having to approve software downloads and other potentially dangerous events?

My hunch is they will...until Microsoft can find a way to distinguish where the request is originating from, so the process isn't such a pain.

Last week, Microsoft released an out-of-band patch for a vulnerability affecting the animated cursor, also known as ANI.

The vulnerability was identified by Determina back in December, who, in turn notified Microsoft. For some, like eWeek's Joe Wilcox,  the four month timeframe to get out the patch is unreasonably long.

Wilcox compares the ANI vulnerability to a Windows metafile bug that created problems back in late December 2005/early January 2006. "Both flaws affect the Windows graphics subsystem—or GDI—and were exploited without patches being available." Both flaws also led to the release of several other fixes to the GDI. However, the patch for the WMF vulnerability was available in weeks, not days.

Microsoft provided there own explanation of the process involved in releasing the patch. Based on some initial feedback from SANS, the extra testing may pay off in ensuring the patch is effective and doesn't cause too many headaches. Larry Seltzer, another eWeek columnist, was one of many supporting Microsoft's decision to release the patch ahead of tomorrow's regular cycle, although he questioned the additional GDI patches being released with it. "By including it with this many other fixes they make it harder to test. Perhaps they should have left the rest of the update for next week," Seltzer said.

Mike Rothman, in one of his Daily Incite posts last week, didn't necessarily feel Microsoft handled the ANI vulnerability as well as they could, but found several signs of improvement in how Microsoft is handling issues in general. Like Mike, I found Rob Graham from Errata's explanation to be one of the more reasoned perspectives on the ANI vulnerability.

What did you think of Microsoft's effort? How do you think they could improve?

Publicly-traded companies in America have been through a couple rounds of SOX audits, but companies in other parts of the world will be getting their first taste of similar compliance requirements in the next year.

J-SOX, the Sarbanes-Oxley-inspired name for the Financial Instruments and Exchange Law, will go into effect in April 2008 for approximately 3,800 companies listed in Japan, along with their foreign subsidiaries. Like SOX, the Japanese regulation was also enacted in response to accounting scandals involving companies like Seibu Railway Co., Livedoor Co., and the Murakami Fund.

According to an article by Thomas Hoffman, some companies are already being proactive. Fuji's largest North American subsidiary is documenting its hardware, their IP addresses, and the software running on them. In addition, they are documenting the controls it has in place for several IT processes that could affect the company's financials. Tokyo Electron America, Inc., based in Austin, TX, is tracking and monitoring their global IT systems and documenting the security safeguards they have in place for each system.

If there is any lesson Japanese firms can learn from the first two years of SOX, it is to not procrastinate, particularly with getting the people, processes, and technology in place that will weave compliance into the overall fabric of daily activity in the IT department. Otherwise, it becomes an almost total interruption to the IT department's responsibility to overall business services.

Sounds like some American subsidiaries may be heeding the lessons learned from other American companies and passing it on to their Japanese counterparts...and that's a good thing.