ISSA E-News: June 4, 2009

In this Issue

  1. June Issue of the ISSA Journal: Now Available Online
  2. ISSA Welcomes the newest chapter - North Dakota/Northern Plains
  3. University of Virginia Security Patch Management Survey
  4. The June ISSA Journal Feature Article: An eDiscovery Primer for Information Security
  5. Upcoming Industry Webcast
  6. The ISSA Journal Goes Green

Sponsors

Gartner

Gartner: Evolve your role. Optimize value. Protect the business. Gartner Information Security Summit, June 28- July 1, 2009 in Washington DC

http://Gartner.com/us/itsecurity


PeakDataI

PeakData Services, Inc.: Delivers consulting and professional services that help companies mitigate risk while storing, protecting, and managing their business-critical information efficiently and cost-effectively. This new IDC white paper, courtesy of PeakData, describes the importance of including decommissioned storage media in a broader risk mitigation program.

June Issue of the ISSA Journal: Now Available Online

This month's issue of the ISSA Journal is now available online and features peer-reviewed articles on:

  • An eDiscovery Primer for Information Security
  • ISSA 2009 Election International Board Slate of Nominees
  • PAN Encryption: The next evolutionary step?
  • PCI and Reducing Data Breaches: Aligning PCI DSS with common security breach characteristics
  • A Forward-looking Approach to the Network Perimeter Paradigm

If you would like to receive your Journal electronically, just log in to the ISSA website and update your member profile.

The ISSA Welcomes the Newest Chapter - North Dakota/Northern Plains

The ISSA International Board of Directors would like to extend congratulations to Matthew Nelson, the North Dakota/Northern Plains Chapter president and the chapter leaders for completing the formation process. To find out more about the chapter CLICK HERE

University of Virginia Security Patch Management Survey

The University of Virginia has initiated a survey intended to gather benchmarking information related to the processes and costs associated with security patching activities. Analysis of responses will permit an understanding of how patching varies across business sectors, from company to company within a sector, and between larger and smaller companies. All collected data will be presented only in aggregate and will remain non-attributable and secure. The intent is to expose the results to an audience of government organizations and industrial firms. It is anticipated that the results will be incorporated into a Master's Degree thesis.

Typically the survey takes 15 minutes to complete and in no case more than 20 minutes.

To participate in this research study, CLICK HERE

The June ISSA Journal Feature Article: An eDiscovery Primer for Information Security

By Jon Banks - ISSA member, Metro Atlanta, USA Chapter

This article is intended to help information security professionals gain an appreciation and understanding of e-discovery requirements and encourage them to seek further information from their legal counsel.

A recent article published by Byte and Switch stated that only 29 percent of IT departments and 12 percent of legal departments understand e-discovery requirements. Seeing that 71 percent and 88 percent, respectively, do not, I feel it is important to lay down a foundation of the pertinent sections of the updated Federal Rules of Civil Procedure and the Federal Rules of Evidence, the basis for litigation in the United States.

I am not a lawyer and have no interest in becoming a lawyer; I am an information security professional in my final year of study for an Executive Juris Doctorate degree. The following is not a legal consultation but rather intended to help information security professionals gain an appreciation and understanding of e-discovery requirements and encourage them to seek further information from their legal counsel. Do not be afraid to start this conversation yourself.

Discovery

So, what is discovery? If a civil lawsuit is filed and not settled or dismissed by the court, the discovery process begins. On a high level, each party in the lawsuit shows the other party what evidence they will be presenting in court. Generally, evidence cannot be presented in court if it has not been disclosed during discovery. Each party can also request from the other party evidence which will support their case. If a party does not produce the evidence requested, the court could rule against them on the issue the evidence relates to or impose other punitive actions. The preponderance of electronic evidence is why understanding e-discovery requirements is so important and needs to be properly addressed and prepared for before a lawsuit is filed.

E-discovery rules can be divided into two parts: one governing the process for producing electronically stored information (ESI), and the other governing the quality of the ESI produced. The rules governing the process an organization must follow for e-discovery comes from the Federal Rules of Civil Procedure (FRCP), which were amended in 2006 to simplify matters related to discovery. Although the rules only apply to U.S. District Courts, it should be noted that many states and other federal courts model their civil court rules on the FRCP. Legal counsel should be consulted for information about a specific court or jurisdiction. The best source of commentary on the e-discovery process comes from the U.S. Courts. I have based this article on that commentary.

To continue reading or for the complete article CLICK HERE

Upcoming Industry Webcast

Title: A Fireside Chat with the SDL
Date: June 9, 2009
Time: 12:30PM US Pacific Time/ 3:30PM US Eastern Time/ 8:30PM London Time
Sponsored By: Microsoft

CLICK HERE  for a link to join the Webcast on June 9th (Note: Registration is not available until the day of the event)

Webcast Description:
Threats are moving up the stack, and the attackers are now focusing their attacks on your custom applications. Join Michael Howard and Kai Axford from Microsoft's Trustworthy Computing group as they engage in an informal discussion with you about how the Security Development Lifecycle (SDL) was implemented in Windows 7. You'll learn how you can leverage some of these same techniques in developing your own custom applications and reduce vulnerabilities. This is not going to be your typical Death by PPT webcast, as Michael and Kai want to provide the maximum opportunity for you to have your questions answered on this very important topic. Reserve time on your calendar now for this entertaining and informative event.

Presenters Biography:
Michael Howard, Principal Security Program Manager & Kai Axford, Senior Security Strategist, both in Microsoft's Trustworthy Computing Group. As an architect of the Security Development Lifecycle (SDL), Michael is a frequent speaker at security-related conferences. Michael regularly publishes articles on security design and is the co-author of six security books, including the award-winning Writing Secure Code, 19 Deadly Sins of Software Security, the Security Development Lifecycle and his most recent release, writing Secure Code for Windows Vista. Kai is a ten-year Microsoft veteran responsible for discussing and recommending security solutions for both private and public sector organizations. Along with conducting Chief Security Officer Councils worldwide, Kai has delivered more than 300 security presentations on a variety of topics, including digital forensics, security management, incident response, and computer espionage.

The ISSA Journal Goes Green

If you would like to receive The ISSA Journal  in electronic format you can now opt-in to this new alternative by updating your ISSA member profile. Those who prefer the hard copy will continue to receive their usual copy unless they opt-in to e-delivery.