Published: April 29 2009, 11:45 AM | no comments
by CA GRC Blog Admin

In the April issue of our CA Advisor: Governance newsletter, Sumner Blount takes a look at some key factors driving an increased focus on risk management "" from the fallout from the recent financial crisis to changes in Standard & Poor's overall corporate evaluations "" and uncovers the approaches companies should consider adopting to better manage risks and improve business operations. You can read the full story here.

Also in this month's issue is a piece by our colleague Terrence Clark, SVP and general manager of CA ecoSoftware. Terrence addresses the importance of taking a systematic approach to green governance "" our way of helping companies implement and measure an organization-wide sustainability plan. You can read the full story here and read more about CA's thoughts on green IT by visiting our Greenability blog.

If you'd like to subscribe to our Governance newsletter, visit this link (step two of the registration process allows you to subscribe to a range of CA newsletters).

Published: April 29 2009, 11:17 AM | no comments
by Matthew Gardiner

 

I am just back from the RSA Conference in San Francisco.   Here are 5 of the happenings that seemed most significant to me:

1. Oracle purchases Sun -When I walked into the Moscone Center early Monday I was greeted with the news of Oracle's purchase of Sun Microsystems. Not that Sun's availability for corporate marriage was in doubt, but who would have guessed Oracle? I think the quick security oriented takeaway is that there is no security oriented takeaway. Oracle is buying Sun for a lot of reasons (Java, Solaris, to name a few) but I don't think Sun's security products are one of them. Given the significant high-level overlap between their respective security management related offerings it is anyone's guess how the deck will ultimately get sorted at the combined organization.
2. Where did all the security pros go? - Anecdotally, attendance seemed down to me this year. Given that the majority of people who typically attend this event have to travel a long way, it wouldn't be surprising if attendance was down owing to the overall economic slowdown.  I am confident attendance at the RSA Conference will bounce back, perhaps as soon as next year.  It is still one of the key happenings for security professionals. 
3. SaaS security is starting to move up the hype cycle - How do I know that SaaS is moving up the hype cycle?  When everyone is talking about something, that nearly no one has any experience with, no one can define in the same way (ask any two people and you will get at least three opinions) and that three eminent cryptographers are simultaneously positive, negative, and bored with...you know that a technology is in the midst of climbing the hype cycle.  One thing that everyone agrees with is that there are significant security issues with SaaS. 
4. The birth of the Kantara Initiative - If you have ever been frustrated with the pace at which industry adopts standards, then you need to check out the Kantara Initiative www.kantarainitiative.org.  At Monday's Liberty Alliance coordinated workshop http://projectconcordia.org/index.php/April_20_pre-conference_workshop, Brett Mcdowell announced the birth of the Kantara Initative, which, as its name implies (if you speak an African dialect or Arabic), is designed to bring us all together to deliver on the need for a privacy respecting online identity system that among other things will coalesce the identity needs of consumers, enterprises, and governments.  The adoption of standards is more than creating technical specifications, thus the Kantara Initative will be doing more.  Maybe helping to convert the Venn of Identity  into the Zen of Identity (apologies to the true author of this witty phrase if I didn't make it up...I never remember how half the things get into my head)
5. SC Magazine Awarding CA the Readers Trust Award for Best Identity Management Solution - I know what you are thinking "shameless promotion" http://www.ca.com/us/press/release.aspx?cid=204071

What can I say, it's nice to see your friends and colleagues get kudos for their hard work on a key CA security product, namely CA Identity Manager.   This is not self-congratulations as I work on the Web security solutions at CA, namely SiteMinder, Federation, and Web services security, and not directly on CA Identity Manager.  

For anyone who will be at the Kuppinger Cole identity conference next week in Munich Germany, please stop me and say hello.  I will blog about that conference probably on the flight home to Boston.

http://www.id-conf.com/eic2009

Published: April 29 2009, 06:59 AM | no comments
by Mark MacDonald

The Federal Rules of Civil Procedure (FRCP) require that companies be able to speak intelligently about the state of their Electronically Stored Information (ESI). They don't come right out and say how to do it. But they do require that, in the event of a lawsuit, ESI be retrieved in a timely manner during eDiscovery. While these rules have been in place for a couple of years, some organizations are just now coming to grips with managing their information infrastructure. It's a pretty daunting challenge. Information continues to grow every day, so there is the need to address the problem today, if not yesterday.

As a first step toward preparing for eDiscovery, CA recommends that our customers start by creating a Data Map. While it may seem obvious, in practice it is not so easy. The data can be literally all over the map. Just a few of the things that make the data map challenging:

• Not knowing what hardware you have across the enterprise. Only once you do can you inventory what Information is there.




• What applications are in use (or no longer in use) like email, document management systems, file share systems and the like.




• Many organizations were created by M&A. The challenge here is that there can be a lot of vitally important content that may not have been documented prior to an acquisition.




• Different locations present their own set of challenges due to ownership and geographical distance.




• Related to emails are .PST files. Have you told your employees they have a limit on the size of their email box? No problem, they'll create PST files, full of risky, proprietary corporate information and keep it on their PC, backed up on a drive at home, or on a flash stick. Who knows what they'll do? A lot of organizations don't.




• Backup systems.

In addition to knowing what information the organization has, there should be the following accompanying information for each type.

• Who uses the information




• The native format




• The retention schedules




• Backup status of the information

Creating the data map will not be easy, and it will take time and resources to create it. But look at it this way: It is virtually impossible to be responsive to the timeframe required by the FRCP without first having a data map. Do it now while you can take your time doing it, because otherwise it could be too late.

Published: April 28 2009, 06:00 AM | no comments
by CA GRC Blog Admin

In the third installment of our 5-part video blog series, Scott Mitchell, CEO of OCEG, shares his thoughts on using a broad GRC strategy to resolve an immediate pain point.

Trouble viewing the video? Click here to view this and other CA videos on the CA YouTube channel.