Compliancy, innovation and security

In this first in-dept topic I will try to cover the impact compliancy can have on security and innovation.

Many companies store customer data like privacy information such as names, email addresses, addresses, phone numbers. But that's not all companies that sell or provide online services might store purchase and payment information like credit card or bank details.

The whole process of obtaining, retrieving and storing the data can be a potential risk and needs to be conform a standard defined by a compliancy institution. Popular certifications and compliancy standards are Sarbanes Oxley, PCI DSS and ISO standards.

It's obvious that compliancy affects many employees, procedures and systems. Therefor it's important to know what is in scope and what not. In my experience I find it use full to set all Internet facing systems in scope. Threating all Internet facing systems the same way as defined by the compliancy standard is a good security practice.
Internet facing systems include mail, voip services, websites and remote access. If these systems must be compliant.

You don't want to be in the middle of a migration when the auditor is looking behind your back. So planning upgrades to new versions or introducing new services need to be between visits of auditors. At least that is what I suggest.

It might be worth to upgrade to a new version or introduce new systems before the auditor comes. If your schedule finds time for planning, deploying, testing and updating documents needed for compliancy.

Upgrades (Microsoft products) that provide better security and are mostly appreciated by auditors are:

• Exchange servers upgraded to Exchange server 2007
• Introducing Office Communicator 2007 and services
• Windows XP to Windows Vista
• Forefront client security

Exchange servers upgraded to Exchange server 2007

1. Removes relaying options on your external SMTP server by introducing the transport role.
2. Adds advanced anti spam functions
3. Advanced antivirus system with forefront for exchange
4. Improved global security with roles and rewritten services and structure

Introducing Office Communicator 2007 and services

1. Secure voip services
2. Encrypted instant messaging (no need for MSN, skype or other)
3. Improved secure communication

Also a drawback which is more externally connected Internet facing IP's and services.

Windows XP to Windows Vista

With the right hardware investment Vista provides a faster and better more secure computer environment. Especially the dreaded UAC which is a really good security feature against, scripts, virus and trojans.

Forefront client security with WSUS and MOM

This gives you full control over the computers in your network.

1. Security state assessment and alert reporting
2. Enforced real-time antivirus scanning with daily updates
3. WSUS for scheduled enforced centrally managed updates
4. AD Group Policy Objects for controlling forefront protected computers

As you can see it can be a good thing to upgrade or introduce new services even if you need to be compliant and are audited. But always take great care in planning and deploying and do a security scan for computers connected to the Internet.

Thank you for reading. Let me know if this works for you.

ICT Innovation and Security blog

Dear Reader,

This my blog about ICT innovation and security, or is the security and innovation? Happily for me ICT innovation creates new security threats as well decreased security risks. So which one comes first and is more important? A hard question. Which I hope to answer with a series of articles. In these articles I will try to cover important aspects of new technology and how it benefits you or might have possible security concerns.

Focussing on Microsoft products, but also covering compliancy, managed services, outsourcing, servers, firewalls, switching, virtualization and applications. From A-Z from the end-user as consumer or employee to partner or client.

In these articles I will try to apply my knowledge and experience which I have gathered the last 10 years. In my position as CTO and CSO of Payvision a credit card processing company I often have to make choices regarding to security and innovation.

Credit card processing companies need to be PCI DSS compliant nowadays. A good thing which enforces security policies and best practices with companies which process MasterCard and Visa transactions. But having this compliancy obligation innovation can be postponed or not possible, because compliancy can be more important then innovation. Or not? See my next article.

I hope my articles can shed some light on today issues and technology. But feel free to request a topic which is on your mind.

Thanks for reading. write to you soon...