Survey takes on security best practices

NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY
09/13/05
Today's focus: Survey takes on security best practices

Dear security.world@gmail.com,

In this issue:

* Call for participation in important survey
* Links related to Security
* Featured reader resource
_______________________________________________________________
This newsletter is sponsored by SPI Dynamics
FREE Product Trial: "Protect Your Web Applications from Hacker
Attack!"

WebInspect 5.5 employs threat agents to simulate attackers
analyzing your web applications, formulating attacks and
applying them to determine if vulnerabilities exist. Run a FREE
Test of your Web Apps via our FREE 15 Day Product Trial that
delivers a comprehensive vulnerability report.
http://www.fattail.com/redir/redirect.asp?CID=114504
_______________________________________________________________
Network World Technology Insider on Security
Is Encryption the Prescription?

Encryption won't solve all your security issues but these days
there is no excuse for not safeguarding your organization's
sensitive data. From Clear Choice product coverage to new
regulations and high-profile breaches, this Technology Insider
on Security covers it all. Click here to read now:
http://www.fattail.com/redir/redirect.asp?CID=114083
_______________________________________________________________

Today's focus: Survey takes on security best practices

By M. E. Kabay

Regular readers of my column will know that a leitmotif of my
professional life, which includes applied statistics, is that we
simply don't have enough solid information about the facts
surrounding information assurance events. My colleague Professir
Sharon W. Tabor - chair of the Networking, Operations & IS
Department at the College of Business & Economics of Boise State
University - is trying to change that.

Here's an interesting project through which readers can
significantly contribute to progress in our field. Here's
Tabor's introduction.

* * *

With all the talk in the press about information assurance, IT
governance and compliance, one might assume that everyone has
adopted one or another of the major governance methodologies
such as ITIL, CMM, or COBiT. The tactical implementation of
those policies takes the form of best practices, a familiar term
in the IT world. Security is certainly a major driver toward
best-practice adoption, along with compliance with legislative
action or the threat of zealous auditors.

Best practices supposedly offer many benefits. For example, a
survey of IT executives in 2004 found that organizations that
implemented best practices rated themselves as having higher
status within the overall business. Additionally, they were
successful at justifying higher budgets to address security
issues, and were looking at security in terms of a long-term,
risk-based strategy, with fewer security incidences overall.

On the other hand, it appears that not everyone agrees with the
need for best practices. In addition to success stories about
large company experiences with best practices, there is also
preliminary evidence that suggests many small and medium-sized
organizations continue along their daily activities, putting out
fires and remaining predominantly reactive. Whether due to the
complexities of the methodologies, or overall lack of time and
resources, many organizations don't seem interested in adopting
new processes. Others aren't convinced there is a reason for
best practices. David Lawson, for example, argues that security
best practices don't exist
<http://www.networkworld.com/careers/2005/053005man.html?rl> -
and if they did the cost would be way too high for most
organizations. He discusses the use of good practices, minimal
acceptable standards, and appropriate and reasonable controls.

I am conducting research into this controversial topic. I was a
middle manager for many years, and my research goal is to
separate reality from the trend-setting buzzwords that are
attached to our field.

The survey at the link below queries who has adopted which
methods and what the drivers and benefits have been. Survey
responders will receive a white paper with an examination of
each of the major methodologies, and more important, the
perspective from which they have been developed. Finding a
perspective that addresses organizational needs more than any
other single factor can help narrow down the choices and yield
the desired benefits. Organizations of all sizes can benefit
from IT governance and best practice development, but the key is
in finding the right fit.

* * *

I (Mich) spoke with Tabor and asked her how the research is
going. She said:

"The response has not been what I had hoped. People are
tremendously tired of doing surveys, but this is a really
important area. The whole IT governance problem really needs
some solid facts, and this survey could really be important in
identifying key issues that organizations are dealing with."

I asked how this survey would avoid the classic pitfalls of
voluntary participation in online surveys - misleading results
and biased sampling. Tabor confidently answered that the
questions focus on the basics of what organizations have done,
which methodologies they have used, and what's worked for them,
thus avoiding the problems of typical opinion-oriented research.
She said, "We also included some internal validation measures
typical of good surveys."

Click here
<http://telecomm.boisestate.edu/research/BPsurvey.asp> to begin
the survey and sign up for a copy of the results. In addition to
getting the white paper, respondents will be entered into a
drawing for electronic gift certificates. Please spend a few
minutes to do some good for the field and then see what others
are doing to get IT security and services under control.

The top 5: Today's most-read stories

1. McAfee, Tech Assist top anti-spyware test
<http://www.networkworld.com/nlsecuritynewsal6949>

2. What's the best way to protect against spyware?
<http://www.networkworld.com/nlsecuritynewsal6950>

3. Google hacking
<http://www.networkworld.com/nlsec6691nlsecuritynewsal6714>

4. Supermarket chain freezes Internet access
<http://www.networkworld.com/nlsec6641nlsecuritynewsal6679>

5. Cisco warns of another IOS bug
<http://www.networkworld.com/nlsec6792nlsecuritynewsal6951>

_______________________________________________________________
To contact: M. E. Kabay

M. E. Kabay, Ph.D., CISSP, is Associate Professor in the
Division of Business and Management at Norwich University in
Northfield, Vt. Mich can be reached by e-mail
<mailto:mkabay@norwich.edu> and his Web site
<http://www2.norwich.edu/mkabay/index.htm>.

New information assurance journal - Norwich University Journal
of Information Assurance (NUJIA). See
<http://nujia.norwich.edu/>
_______________________________________________________________
This newsletter is sponsored by Tacit
Network World Executive Guide: Staying Focused on the Moving
Target that is Storage

Keeping pace with evolving storage strategies, architectures,
and trends is not unlike keeping pace with your organizations
underlying capacity needs. From ILM strategies to SAN management
to the threat of those USB memory sticks, this Network World
Executive Guide will help you stay focused on the moving target
that is Storage. Register now and get a free copy of Network
World's Storage Executive Guide.
http://www.fattail.com/redir/redirect.asp?CID=114183
_______________________________________________________________
ARCHIVE LINKS

Archive of the Security newsletter:
http://www.networkworld.com/newsletters/sec/index.html

Security Research Center:
http://www.networkworld.com/topics/security.html

Instant sign-up for Security News Alert:
http://www.networkworld.com/isusecna

Instant sign-up for Virus & Bug Patch Alert:
http://www.networkworld.com/isubug
_______________________________________________________________
FEATURED READER RESOURCE

GARTNER'S SECURITY HYPE-O-METER

What is hype and has it influenced your network security
efforts? At a recent Gartner security summit, analysts described
what they say are "The Five Most Overhyped Security Threats,"
risks that have been overblown and shouldn't be scaring everyone
as much as they seem to be. For more, click here:

<http://www.networkworld.com/weblogs/security/009180.html>
_______________________________________________________________
May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at http://www.subscribenw.com/nl2

International subscribers click here:
http://nww1.com/go/circ_promo.html
_______________________________________________________________
SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
<http://www.nwwsubscribe.com/Changes.aspx>

To change your e-mail address, go to:
<http://www.nwwsubscribe.com/ChangeMail.aspx>

Subscription questions? Contact Customer Service by replying to
this message.

This message was sent to: security.world@gmail.com
Please use this address when modifying your subscription.
_______________________________________________________________

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: <mailto:jcaruso@nww.com>

Inquiries to: NL Customer Service, Network World, Inc., 118
Turnpike Road, Southborough, MA 01772

For advertising information, write Kevin Normandeau, V.P. of
Online Development, at: <mailto:sponsorships@nwfusion.com>

Copyright Network World, Inc., 2005