- +
Bill Gates: A New Approach to Capitalism in the 21st Century 28 January, 2008 07:12:19
Transcript of Gates speech, and a Q&A at World Economic Forum in Davos, SwitzerlandAs you all may know, in July I'll make a big career change. I'm not worried; I believe I'm still marketable. I'm a self-starter, I'm proficient in Microsoft Office. I guess that's it. Also I'm learning how to give money away. - +
ARN's A-Z guide to networking 19 December, 2007 14:50:54
As business needs change, so do the requirements for the business backbone. ARN looks at networking trends and technologies and reports on predictions for 2008 and beyond. - +
Beyond the firewall 20 November, 2007 16:21:43
Network security more complex than everThis year, with all of its data breaches, has certainly proved that network security is much more complex than at past times, when firewalls were viewed as premium defense collateral. What are some methods/policies I should be aware of as I look to spend time (and security budget) in 2008? - +
ITIL takes on security management role 10 December, 2007 07:26:18
Implementing ITIL process improvements said to mitigate enterprise riskLong touted for streamlining processes and reducing operating costs, the ITIL best-practices framework also helps mitigate enterprise risk, say its adopters. - +
Data-leak prevention product guards intellectual property 16 October, 2007 08:12:04
Reconnex revises security software, applianceReconnex this week announced an upgrade to its data-leak prevention software and appliance designed to help companies define and protect their intellectual property.
Click here for case studies, whitepapers and other useful vendor content Australian water treatment company uses four GFI products to protect its network
Dimension Data, La Trobe University and Windows Server 2008 partner to improve compliance
V/Line and Oakton use Microsoft SQL Server 2008 to develop an Executive HR Dashboard
WebCentral boosts Security and Reliability with Windows Server 2008
Microsoft® takes legal action against software pirates
Newsletter Subscription
While rapid-fire cost-savings and consolidation efforts typically dominate an IT executive's annual to-do list, what's getting the green light this year are multiphase projects that protect organizations from regulatory fallout and data leakage.
At the California Department of Health Care Services (DHCS), for example, increased federal mandates and heightened media attention have led to a focus on projects that prevent data loss, says Christy Quinlan, CIO at the Sacramento agency.
"I know that whatever we spend on projects to secure data would be a whole lot cheaper than having to deal with even one leak," she says.
IT executives in a cross-section of industries, including government, education and the private sector, share the sentiment. In fact, three specific project areas -- privacy, enterprise rights management and data center automation -- are all getting the go-ahead because they can enable better data protection.
Privacy
Since she took office as CIO in 2005, Quinlan has had a laser-like focus on improving the systems at the DHCS, a 2007 Enterprise All-Star Award honorable mention designee. She describes herself as a doer, not a talker, and doesn't understand why implementing new technologies takes some IT teams so long. Being a doer served her well earlier this year when the U.S. Social Security Administration (SSA) notified her team that its main system, Medi-Cal, was in violation of the Health Insurance Portability and Accountability Act regulations.
The mainframe-based application lacked the ability to prove that only need-to-know personnel were gaining access to private patient information, the SSA said. More than 70,000 workers in 58 counties use Medi-Cal to access Medicare and Medicaid claims.
To come into compliance, Quinlan needed to install role-based access privileges coupled with auditable time-stamping. "The SSA said we only had a short time to fix the problem or it was going to deny us access to its network," she says. The DHCS had no time to rewrite the Medi-Cal application code itself or to do any major system changes.
Instead, the agency opted to tack IBM's Resource Access Control Facility (RACF) onto the mainframe to manage and log role-based permissions atop the Medi-Cal system's own basic built-in privileges. Now Quinlan can set multilevel security policies based on users and the types of files they are trying to access. "This depth of tracking allows us to create a full audit trail," she says.
To avoid passing the complexity of a layered system on to users, Quinlan's team synchronized username and passwords for RACF and Medi-Cal. "They have a single point of entry and don't have to log on with separate identities," she says.
Having met the SSA's deadline, Quinlan has since returned to other privacy initiatives, including encrypting the more than 8,000 DHCS desktops and laptops in accordance with -- and in some cases ahead of -- state and federal regulations. "There's still no requirement to encrypt desktops, but why wouldn't you when you could have tremendous damage to the organization's credibility if data were lost?" she says.
Andreas Antonopoulos, senior partner at Nemertes Research, applauds organizations that are tackling privacy problems head-on. "You can easily protect against data loss with checks and balances and separation of duties," he says.
He also recommends prioritizing what data you need to retain and for how long. "The best security policy is not storing data you don't need," he says. Also, he advises IT teams to avoid using Social Security numbers and other critical data as identifiers.
In Pennsylvania, the Department of Agriculture follows right-to-know policies to make farmers feel safe providing sensitive information, says Sean Crager, CIO at the Harrisburg agency. "By having strong privacy policies, we increase enrollment in important [animal disease] awareness programs," he says.
For instance, the department encrypts sensitive information at the field level in its SQL Server database. This gives the department a two-fold advantage, Crager says: It allows the agency to be granular in the data that is secured as well as to avoid performance hits that would arise from encrypting the entire database.
Crager also ensures he stores only necessary information, offloading tasks such as credit-card processing to trusted third parties. "My goal is to keep as little personal data as possible. If we don't need it, I don't want it," he says.
ARN Member Login
ARN Panel Sessions: Day 3The last of our panel sessions recorded live at CeBIT 2008. Today, the topic is storage. Data is growing at an enormous rate, so what does the future hold?
Weekly Tech News update - July 4th, 2008YouTube stars gather in Boston, a laptop is gone in 90 seconds, a look at new robots, a tearful farewell to Bill Gates and a look inside a cable laying ship.
Brian's bloopersIt takes a long time to produce an episode of Channel Watch. Maybe you'll understand why after watching this...
When an IT disaster occurs, how handy it would be to push a button and start again as if nothing had happened.
Discover and learn more about CA XOSoft today.
Media release: 40 Per Cent of Australian Businesses Do Not Validate Their Data 04 July, 2008 10:29:00
Kaseya helps turbo charge BlueFire’s service delivery model 03 July, 2008 17:23:00
Computershare Selects Symantec for Data Loss Prevention Globally 03 July, 2008 14:52:00
DST International moves to new Shanghai office 03 July, 2008 13:21:00
Put your home based business on the map! Australian Home Based Business Awards 2008 03 July, 2008 12:39:00
Australian water treatment company uses four GFI products to protect its network
OSMOFLO, an Australian company, implemented a suite of four GFI products to protect its network from viruses and spam, to monitor and control internet usage and to save time and money on faxing.
Subscribe to ARN
