Sharing Experiences: COBIT Newsletter

IT professionals, managers, COBIT implementers and evaluators—and anyone interested in COBIT—should be aware of COBIT Focus, a newsletter designed specifically for users of COBIT. COBIT Focus provides updates on COBIT developments and provides a vehicle for sharing COBIT experiences.

COBIT Focus is available at www.isaca.org/cobitnewsletter. The July 2008 issue is now in release. The latest issue includes these timely articles:

• Applying COBIT With Limited Resources
• The Relationship Between COBIT and Val IT
• Combining Information Technology Standards to Strengthen Network Security
• New IT Risk Management Framework: How It Relates to COBIT
  

Members of the growing COBIT user community are encouraged to submit articles for publication in future issues. For more information on this opportunity, please e-mail the editors at publication@isaca.org.

The publishers would also like to know what you think of COBIT Focus. Your responses will help them assess the value of the newsletter and identify improvements. Support COBIT Focus by submitting comments to publication@isaca.org.

Where Security Gets Lost in Virtualization

The exploding popularity of virtualization has apparently created virtual realities. In one reality, the VM vendor builds security into its own products, but disregards vulnerabilities that are introduced by the VM's interaction with other software. In another, alternate reality, VM vendors take responsibility for their product's overall security, with regard for bad things that might happen when other software is put on top of it.

In a virtualized IT environment, who is responsible for security? The question has divided pundits into fundamentalist factions. For a taste of the debate, look no farther than the words war between Simon Crosby at Citrix, a virtualization software vendor, and Chris Hoff, Chief Security Architect at Unisys. Crosby argues that every vendor is responsible for their own products, not others'. Citrix will take care that it's Xen VM is protected, but someone else had better be minding that the operating system's touchpoints with the VM don't introduce vulnerabilities.

Hoff, on the other hand, points out that putting security responsibility on each software vendor ignores the fact that virtualization, or any complex new technology, will introduce new vulnerabilities--Windows 2000 was introduced with over 20K defects. Software in general is on a trajectory of escalating complexity, spawning more interfaces, metaphors, standards, protocols, products, <insert your favorite software characteristic here>. Throwing in a VM just opens another door to an exploit.

Personally, I fall into Hoff's camp. But for a balanced, level-headed viewpoint, read William Jackson's story in Government Computer News. It takes the Crosby-Hoff debate down to it's essence. So who owns security? It depends on your reality.

►

Information Security Becomes a Strategic Enabler

The Spring 2008 premier issue of InfoSecurity Professional, a new publication of (ISC)², reflects the trend toward security as an independent profession, apart from IT. The proposition is supported by (ISC)²’s 2008 Global Information Security Workforce Study, a comprehensive survey of information security professionals conducted by Frost & Sullivan. The survey polled more than 7,500 practitioners from over 100 countries.
















Among the findings, security professionals overwhelmingly concern themselves with security issues, not IT issues. (See chart) Only 28 percent of respondents said that they report to an IT department, compared to 37 percent in the last survey. Moreover, lines of reporting for information security professionals have shifted. A quarter of respondents said they are part of executive management, while 21 percent report to a security department within their organization.

Overall, the study’s data is a predictor of more diverse opportunities and growth in information security as it evolves into a strategic and mature discipline.

►