Archive for the ‘General’ Category
LewisC's An Expert's Guide to Oracle Technology
This is the final post (3 of 3) that I began last week. Before reading this one, read part 1 and part 2. I will post a presentation on this topic shortly.
How do I use Partitioning?
Now we get to the c...
There are big differences between banking and insurance, even regarding what will persuade insurance or banking technology executives to buy. Earlier this year, Forrester invited a number of North American banking and insurance executives to tell us how they do their homework when it comes to purchasing network and telecommunications technology. It turns out that each industry has clear and different preferences when it comes to selecting which marketing channels deliver information that they can trust when learning about new products, staying ahead of the competition, and even advancing their careers. Technology marketers can maximize their marketing spend by becoming information authorities, pushing needed insights through the right channels that show shoppers how they can grow their business and their careers.
In a previous post of mine, I announced the UK TSB EnCoRe project, focusing on research on Consent and Revocation.
A new version of the EnCoRe web site is now available online.
I would be interested in getting your views and input on two aspects:
- Prior art and work in the space of consent and revocation. In a first analysis, very little work is available in terms of automation of revocation of consent, in a wide sense. Any known work/solution in this space?
- Your (user) requirements in the space of consent and revocation
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
The current edition of RF Report) is now online. Meet Paul Sobel and his vision for the future as he assumes his new role as IIARF president; read how The Foundation helps move the profession forward through research and educational products, and learn how the merger of GAIN into The Foundation will provide new knowledge resources to internal audit practitioners. An interview with author MacDonnell Ulsch talks about the role of internal auditing in an increasingly hostile world, while the IT Audit Research Symposium provides insights into future IT needs. You can also read about award-winner chapter research from IIA St. Louis and IIA Dallas, and about the Esther R. Sawyer Research Award winning paper from University of Pretoria student Marianze Roux.
The November edition of Tone at the Top examines the need for audit committee self-assessment. Read Getting Serious about Board-level Scrutiny If your executive management and audit committee members are not already receiving Tone at the Top, please provide their mailing and e-mail information to pr@theiia.org.
Microsoft flaw attracts only minor malicious acts
The top motivation for pursuing green IT is to reduce costs — and in a down economy, every dollar helps. But CIOs should be warned: Without upfront measurement, you cannot credibly quantify these benefits. To plan for success, CIOs should calculate their green IT baseline — an annual estimate of the energy consumption, carbon dioxide (CO2) emissions, and financial costs of operating IT. This data will not only offer a practical green IT starting point by exposing your most energy-taxing assets, but without it you cannot accurately quantify and report the benefits of your greening efforts to senior management over time.
In the midst of an economic downturn that seems at least partly caused by inadequate enforcement of regulations, the demand for IT controls is increasing. IT professionals must monitor an ever-expanding array of IT assets and track their compliance to rules and regulations from a number of sources, both governmental and corporate. Further complicating the task is the difficulty of creating reports for roles. To help companies with this challenge, Forrester spoke with 17 IT security and compliance leaders from a variety of industries to find out the best ways to stay compliant, business-relevant, and on-budget.
The world's top 10 offshore providers in IT, business process outsourcing (BPO), and product engineering are increasingly going to China, behind India and the Philippines, for offshoring tasks. However, the issue of intellectual property (IP) protection remains a significant hurdle for many organizations considering the country. While the large IT services firms have made major investments in their IP protection processes and governance, customers still need to take their own precautions in parallel. If you outsource or are thinking about sending work offshore to China, you need to work with your vendor to attain an acceptable level of control. This includes auditing your vendor's security controls, negotiating a service-level agreement (SLA) with IP protection terms, arming yourself with appropriate legal protection, and using additional technical measures whenever necessary.
Relying on the Securities and Exchange Commission (SEC) for guidance on regulations turns out to be a pretty bad idea, as we are finding out in more ways than one these days. When it comes to figuring out what constitutes compliance-based storage, the legislation is long in the tooth but the principles are clear. There are thousands of words written about the details, but from a technology point of view, compliance comes down to "expert opinion." There are several consultancy firms that are recommended by the storage vendors to demonstrate that a technology guarantees data immutability and auditing. But there is still a lot of confusion and very few tangible rules to follow. Buried in the myths and legends of what is and is not compliant storage are some generally accepted wisdoms.
New Massachusetts regulations, effective January 1, 2009, are a clarion call for corporate human resources departments to join the war on identity theft. The regulations mandate the development and implementation of a "written, comprehensive information security program" to safeguard the information of Massachusetts employees and consumers. Such a program rarely will be fully effective without the involvement of human resources professionals and in-house employment counsel.
While these regulations apply only to organizations with Massachusetts employees, even employers without a Massachusetts presence should consider implementing a similar program. These regulations likely will be a model for other jurisdictions and could become the standard against which all information security programs are measured. Continue reading. . .
The IIA's Chairman's Video Now Available in PortugueseThe Institute of Internal Auditors (IIA) Chairman's Video is an excellent tool to use when promoting and talking about the internal audit profession. Now - thanks to the dedicated efforts of IIA-Brazil - the chairman's video is available in Portuguese for the first time. During The IIA's 2008 Annual Meeting in San Francisco, California, USA, Patty Miller, CIA, was elected to serve as the 2008-2009 IIA Chairman of the Board. She has chosen "Recognized. Trusted. Valued" as her theme for the year. Her chairman's video allows The IIA to showcase her message encouraging all internal auditors to become "recognized, trusted, and valued" throughout the world in order to make a positive difference in the global marketplace. The IIA's Chairman's Video is available online in English, French, Spanish, and Portuguese at http://www.theiia.org/theiia/about-the-institute/chairmans-video/ for streaming and viewing on your computer. If you need a high-resolution version (available as well in all four languages) for large screen presentations at special events, please contact pr@theiia.org.
The day of an 11 month old boy:
Stalk Mouse - Check
Attack Mouse - Check
Wrestle on the floor with mouse - Check
Kill Mouse - Check
Nap - Check
Life is good.
LewisC
Technorati : family, fun, off topic, photo
Corporate finance and IT need to prepare now for new financial reporting guidelines. In tandem, they need to devise how the enterprise will create interactive data reports that satisfy the US Securities and Exchange Commission (SEC). Acting as an enforcer, the SEC is ostensibly reducing risk and creating financial transparency as it moves toward mandating a new universal financial reporting format. While searchable reports can provide marginal value for investors and the public, it has yet to be widely proven that the burden of another regulation is offset for enterprises via more efficient financial reporting or even new business insights.
Microsoft issues priority patch for wormable flaw
PrivacyOS (Privacy Open Space) is "a thematic network for privacy protection infrastructure within the current European Commission´s ICT Policy Support Programme. The Project has started at the beginning of June 2008 and brings together industry, SMEs, Government, Academia and Civil Society to foster development and deployment of privacy infrastructures for Europe."
More details can be found here.
Last week I attended the first PrivacyOS Conference (Strasbourg, 13-15 October 2008). It has been very interesting and stimulating, considering the heterogeneous background of the audience, their presentations and subsequent discussions. I would encourage the members of this community to attend in the future (the next conference is going to happen in April 2009).
In this context, I gave a presentation on "Enabling Privacy-aware Information Lifecycle Management in Enterprises", describing work done at HP Labs and in the EU PRIME project (Framework VI), in the space of "Management of Parametric Privacy Obligation Policies".
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
Ever since Oracle filed its $1 billion lawsuit against rival SAP last year, it seems like the only news we hear coming out of the never-ending case makes it even more complex.
But an end may be in sight.
In a move that may settle the case up to a year before its scheduled February 2010 trial date, a federal judge has ordered Oracle to give a settlement price. On Monday, Judge Joseph Spero told Oracle to name a specific dollar amount by Feb. 13, and SAP will have until the 18th to respond with a counterproposal. A settlement conference is scheduled for Feb. 23.
Oracle claims that TomorrowNow, SAP’s third-party support subsidiary that it has since shut down, illegally downloaded Oracle support materials and created thousands of copies of Oracle’s actual software applications.
While Oracle has yet to comment, SAP made the following statement after hearing Judge Spero’s request: “It is in everyone’s best interest to bring this case to an appropriate resolution without undue delay.”
But just how eager are they to resolve it?
Earlier this month, Oracle and SAP held settlement talks but once again failed to reach an agreement, continuing to argue about which SAP documents are relevant to the case and how Oracle should have access to them.
And just last week, SAP asked for limits in the lawsuit, in order to “avoid bogging down proceedings” and make sure the case focuses on the issues that are “”legally relevant and truly in dispute.” SAP also stated: “Oracle has sought to make this case as large and complex as possible by expanding its claims beyond what the law allows.”
What do you think? Will this order do any good? Can the two sides finally agree on a settlement, or will we continue to hear more of the same? What does it mean for Oracle customers and third-party support?
Well, it is slightly late BUT I have been blogging about (almost exclusively) Oracle security for 4 years now, the longest running blog dedicated just to Oracle Security . I started this blog on 20th September 2004 and it has....[Read More]
Posted by Pete On 02/10/08 At 09:01 PM
LewisC's An Expert's Guide to Oracle Technology
I have been traveling a lot lately. A LOT. I used to travel weekly when I was consulting and liked it. I like going to new places, meeting new clients, learning new business models. I was never big on ...
McAfee antes up against cybercrime
As highlighted by this article, called "OMB sponsors online discussion of privacy issues":
"The Office of Management and Budget has asked the National Academy of Public Administration to hold a public discussion this month of health care privacy issues through an interactive Web site."
This online dialog will take place the week of October, 27, at: http://www.thenationaldialogue.org/.
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
I have just created a dedicated page for my PL/SQL Oracle database password cracker and also linked to it from the Oracle Security Tools page . The code is available as a zip file at the end of the PL/SQL....[Read More]
Posted by Pete On 25/09/08 At 05:36 PM
On Tuesday I did a webinar for Sentrigo on the subject of Oracle Security (of course). This went well and we had quite a good attendance. I started the talk with a ten minute or so demo of hacking an....[Read More]
Posted by Pete On 25/09/08 At 04:13 PM
I have just posted the slides from my talk last Friday at the White-Hats event in London. The Oracle Security Masterclass is based on previous ones but the slides are not exactly the same. The slides are on my Oracle....[Read More]
Posted by Pete On 29/09/08 At 07:39 PM
Ecotec - Economic and Technical Crimes Suppression Division - in Thailand has been urged to crackdown on software piracy by the BSA. It’s not just here in the states that audits are on the rise, but overseas companies are feeling it too. The crackdown will begin this month, and the organization will offer rewards up to 500,000 baht for tips of unlicensed software use.
According to an IDC Study on the Economic Benefits of Reducing PC Software Piracy released in January “A 10 percentage point reduction in Thailand’s PC software piracy rate would generate 2,100 new jobs, an additional US$1 billion (approximately 34.5 billion baht) in economic growth and more than $55 million (approximately 1.898 billion baht) in additional annual tax revenue.” That’s money you had better believe they are going to want to claim in the coming year!
Between January and August this year, police raided 39 companies from numerous industries, including manufacturing, design, automotive component production, plastics and packaging.
BSA has infiltrated Canada, Malaysia and The UK recently as well proving software companies are very serious about piracy across the globe.
This study examines whether nonfinancial measures can be effectively used to assess the reasonableness of financial performance and help detect financial statement fraud. Read more about efficient and effective methods of improving auditors' fraud risk assessments to enhance audit quality, reduce auditor liability, and improve investor proection.
Ohio searches for state-site attacker
Aggressive global competition, greater service demands, more restrictive regulatory requirements, and increasingly rigid corporate oversight all raise the expectations for achieving and demonstrating business resiliency. Business continuity, IT disaster recovery, and information security are essential elements of business resiliency, with the common objective of managing the risks of business disruption. While all have traditionally operated as separate silos, they follow very similar business impact analysis and risk assessment processes, with heavy reliance on controls documentation, monitoring, and testing. Security and risk professionals should apply a common risk-based approach to these disciplines to streamline processes, improve cross-discipline collaboration, and provide a common system of managing risk.
IIA plans guidance on how internal auditing can play a vital role in conversionALTAMONTE SPRINGS, Fla. -- As mandates of filing financial reports in interactive data format - specifically in XBRL - become a reality for companies throughout the world, internal auditors are seeking out their role in the conversion. A recent Institute of Internal Auditors (IIA) survey of more than 200 chief audit executives worldwide found that more than half are not yet familiar with XBRL, and an over whelming number - 90 percent - would be interested in guidance on internal auditing's involvement in the new process of filing financial statements with interactive data. In response, The IIA Research Foundation will release guidance on this topic in January, 2009. READ MORE