Users mold security benchmark
The problem with IT security benchmarks is that the reference point is a constantly shifting target as new technologies and threats emerge.
And that's an especially difficult problem to overcome, said corporate security systems managers. They are examining the fruits of a relatively new cooperative effort that this week will yield the near-final version of a systems security benchmark for Sun Microsystems Inc.'s Solaris.
But despite concern about the benchmark's continued usefulness, end-user members of the Center for Internet Security said the organization's technical benchmark for securing Solaris systems will be key to their security efforts.
"To me, this is a great economic package for us," said Iris Patton, who heads security for the Americas at Houston-based Shell Services International Inc., the IT unit of Royal Dutch/ Shell Group. In return for the $5,000 membership fee the company paid to the CIS, it's receiving technical information that's good enough to serve as a substitute for high-priced consultants, she said.
The CIS is a nonprofit, cooperative group in Bethesda, Md., that was formed last October. Its members include more than 140 companies, government agencies and consulting firms.
The benchmark outlines a list of specific operational actions and settings for securing systems at different levels of protection. It was developed through a collaborative effort that involved ongoing feedback on the benchmark's drafts from technicians at some of the member companies, such as Shell's Unix gurus.
Donna Francis, who manages compliance security and policy for the IT group at Subaru of America Inc. in Cherry Hill, N.J., said the benchmark's collaborative approach will help fill security knowledge gaps.
"A [single] company can't always experience all the things that go wrong," she said. "It's just impossible."
But the true test of the benchmark will be its usefulness over time, said Francis.
"How are they going to keep it updated?" she said. "How are people going to add their experience next year or in the coming months as things change?"
Clint Kreitner, the CIS's president and CEO, said the goal is to keep Solaris current through information it gets from members, vendors and others. The CIS will also certify tools.
Other planned benchmarks will deal with Linux and Microsoft Corp.'s Windows 2000 and NT. The organization intends to release the Solaris benchmark next month.
"This is a consensus effort," said Kreitner. "We're not a commercial organization with something to sell. The knowledge is out there; it's just unevenly distributed."
The value to companies will vary. Deborah Eagan, security coordinator at Lincoln Electric System, a Nebraska-based utility with about 110,000 customers, said that as a smaller company, Lincoln Electric will still have to use consultants. But Eagan said she believes the standard will enable the utility to "get much more out of the consulting experience."
Carmen Banks, information security manager at Hallmark Cards Inc. in Kansas City, Mo., said the benchmark will be helpful as a standard to measure subsidiary and business-partnership security.
» posted by ITworld staff
Computerworld
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
