Zen 2.0

I am surprised I didn’t post this one. In any case, here it is.

The Top Five I.T. Control Weaknesses by BEN WORTHEN.

1. Failure to segregate duties within applications, and failure to set up new accounts and terminate old ones in a timely manner.
2. Lack of proper oversight for making application changes.
3. Inadequate review of audit logs.
4. Failure to identify abnormal transactions in a timely manner.
5. Lack of understanding of key system configurations.

This is the sidebar for the article How To Dig Out From Under Sarbanes-Oxley.

Another sidebar for the same article, Sarbanes-Oxley Compliance and the CIO: Year Two.

Good article on risk management on Computerworld by Samir Kapuria.

In this article, Samir described a 3 step process in which a security assurance team should take for risk management. The only thing I would recommend changing is to separate the incident response step from the Application step. Right now Samir has both mixed into one.

The risk management process is continuous; it should never be considered a point-in-time solution.

Register for this event

This is quite a webcast. LogLogic did one not too long ago and there’s such a demand that it will be re-broadcasted LIVE.

So I have been doing quite a bit of international traveling, both business and personal. I am slowly finding out there is evil in credit card companies. For example, I have been using a Citi card for most of the charges. Every time the clerk swipes my card, 3% is added to the purchase amount. If I were to use an Amex, that’s an additional 2% on top of the purchase amount.

This is crazy!! It’s not like they have to do anything. When the bank receives the $$, it’s already in US$!!

In any case, here are some articles that explains the details:

• Uncovering credit card costs on foreign charges
• Look out for fees on foreign charges
• 7 rules for using your card overseas
• New credit card fees take a further swipe at dollar

There are a lot more articles on the web. You can search for it yourself.

In any case, most of these articles recommend getting a Capital One card that does not charge the extra fee. I think that’s what I’ll do and cancel the others.

Q1 Labs’ entry into the SEM market. Seems like they are competing with the Cisco MARS product.

A friend pointed me to this article on How to Fund a Startup by Paul Grahm. Very good summary of the different funding options.

Richard Stiennon recently wrote an article on Evaluating Security Startups. In this article, Richard listed six rules in which he uses to evaluate products from security startups. Even though the article’s got some points, I can’t say I agree with everything he says. As an example, in the article, Richard said, “Security is all about [...]

Our recent trip to China included a press conference with many of the top newspapers and IT magazines in China. Here’s a press piece that appeared on DoSTOR. 在商业竞争异常激烈的今天，日志存储和数据处理方面的需求将不断增长，而且企业常常是将其作为基础设施来规划，日志管理已成为世界上IT管理的新趋势。因此，LogLogic公司率先提出“日志生命周期智能化管理”概念，对日志数据进行采集、汇聚、存储、归档、分析和报警、实时监控，这种有效的管理方法可以优化网络运行效果, 提高网络可用性和安全性；提供可靠的网络信息审计；简化为适应行业法规要求所需的工作，从而大大降低运营成本；还可以协助IT决策和风险管理。

Recently Chris, Andy and I went to visit China. Here are some photos Andy took.

Douglas Schweitzer had this to say regarding my article on Steps for preserving the integrity of log data. He’s absolutely right. He’s also written previously an article on Don’t Ignore Lowly Log Analysis.